CVE-2026-6941

Name of the Vulnerable Software and Affected Versions radare2 versions prior to 6.1.4

Description An issue in project notes handling allows attackers to read or write files outside the configured project directory. This occurs when importing a malicious .zrp archive containing a symlinked notes.txt file, which bypasses directory confinement checks and allows operations to access arbitrary files outside the dir.projects root directory. Path traversal is a technique where attackers use special characters or symlinks to access files and directories that are stored outside the intended folder.

Recommendations Update to version 6.1.4 or later.