PT-2026-34753 · Unknown · Radare2-Mcp

Manthan Ghasadiya

Published

2026-03-24

Updated

2026-04-26

CVE-2026-6942

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions radare2-mcp versions 1.6.0 and earlier

Description An OS command injection flaw allows remote, unauthenticated attackers to execute arbitrary commands on the host system. This is achieved by bypassing the command filter using shell metacharacters in user-controlled input passed to the r2 cmd str() function via parameters in the jsonrpc interface.

Recommendations Update to a version later than 1.6.0.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2026-07861

CVE-2026-6942

Affected Products

Radare2-Mcp

PT-2026-34753 · Unknown · Radare2-Mcp

CVE-2026-6942

Weakness Enumeration

Related Identifiers

Affected Products

References · 7