CVE-2026-41015OS Command Injection in Radare2

CWE-78OS Command Injection4 documents4 sources
Severity
7.4HIGHNVD
EPSS
0.0%
top 98.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Radare Radare2
Timeline
PublishedApr 16

Description

radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 1.4 | Impact: 5.9

Affected Packages1 packages

CVEListV5radare/radare201ca2f61fa43bd3f4b732447de31b16039d820c09236f44a28812fe911814e1b3a7bcf1e4de5d3c2

🔴Vulnerability Details

2
VulDB
radare2 6.1.2 on UNIX os command injection (Issue 25650)2026-04-16
GHSA
GHSA-v352-gq4q-9qjf: radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP2026-04-16

💬Community

1
Bugzilla
CVE-2026-41015 radare2: radare2: Command injection via PDB name in rabin2 -PP allows arbitrary code execution2026-04-16