CVE-2026-6942

Source
https://cve.org/CVERecord?id=CVE-2026-6942
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6942.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-6942
Published
2026-04-23T20:58:10.022Z
Modified
2026-07-16T03:31:13.595447941Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass
Details

radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2cmdstr(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication.

Database specific
{
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6942.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/radareorg/radare2-mcp

Affected ranges

Type
GIT
Repo
https://github.com/radareorg/radare2-mcp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:radare:radare2_mcp_server:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.7.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.4.2
1.5.0
1.5.2
1.5.4
1.5.6
1.6.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6942.json"