radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "01ca2f61fa43bd3f4b732447de31b16039d820c0"
},
{
"fixed": "9236f44a28812fe911814e1b3a7bcf1e4de5d3c2"
}
]
},
{
"source": "CPE_FIELD",
"extracted_events": [
{
"introduced": "01ca2f61fa43bd3f4b732447de31b16039d820c0"
},
{
"fixed": "9236f44a28812fe911814e1b3a7bcf1e4de5d3c2"
}
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"introduced": "radare2"
},
{
"fixed": "9236f44"
},
{
"fixed": "6.1.3"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41015.json",
"cna_assigner": "mitre",
"cwe_ids": [
"CWE-78"
]
}