CVE-2026-6940
⚠️ highSummary
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.
CVSS Score
7.1
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-04-23
First Seen: 2026-04-27
📊 Relative Risk Intelligence
This CVE is Moderate Risk - more severe than 53.3% of all 329,456 vulnerabilities in our database.
#153,866
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Apr 24, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
Chia Min Jun Lennon
SSVC data provided by
CISA
Last Modified
2026-04-27
Source
NVD 🔗
CVSS Vector 3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CVSS Vector 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)