CVE-2026-6941

radare2 < 6.1.4 Project Notes Path Traversal via Symlink

CVSS 6.9 MEDIUMEPSS 0.2%CWE-59

radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Affected products

radareorg · radare2

public PoCs found — 1

cve_referencegithub.com/radareorg/radare2/pull/25831unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/radareorg/radare2/commit/4bcdee725ff0754ed721a98789c0af371c5f32a4 https://github.com/radareorg/radare2/pull/25831 https://www.vulncheck.com/advisories/radare2-project-notes-path-traversal-via-symlink