CVE-2026-6940

Name of the Vulnerable Software and Affected Versions radare2 versions prior to 6.1.4

Description A path traversal issue in project deletion allows local attackers to recursively delete arbitrary directories. By supplying absolute paths that escape the configured dir.projects root directory, attackers can target project marker files outside the project storage boundary. This action results in the recursive deletion of chosen directories using the permissions of the radare2 process, leading to loss of integrity and availability.

Recommendations Update to version 6.1.4 or later.