CVE-2026-27115
Published: 20 February 2026
Summary
CVE-2026-27115 is a high-severity Path Traversal (CWE-22) vulnerability in Alex4Ssb Adb Explorer. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary recursive directory deletion (data destruction via Directory.Delete) when a malicious .lnk/batch/script passes an attacker-controlled path argument; exploitation directly requires user execution of that malicious file.
NVD Description
ADB Explorer is a fluent UI for ADB on Windows. Versions 0.9.26020 and below have an unvalidated command-line argument that allows any user to trigger recursive deletion of arbitrary directories on the Windows filesystem. ADB Explorer accepts an optional path…
more
argument to set a custom data directory, but only check whether the path exists. The ClearDrag() method calls Directory.Delete(dir, true) on every subdirectory of that path at both application startup and exit. An attacker can craft a malicious shortcut (.lnk) or batch script that launches ADB Explorer with a critical directory (e.g. C:\Users\%USERNAME%\Documents) as the argument, causing permanent recursive deletion of all its subdirectories. Any user who launches ADB Explorer via a crafted shortcut, batch file, or script loses the contents of the targeted directory permanently (deletion bypasses the Recycle Bin). This issue has been fixed in version 0.9.26021.
Deeper analysisAI
CVE-2026-27115 affects ADB Explorer, a Windows application providing a fluent user interface for the Android Debug Bridge (ADB). Versions 0.9.26020 and prior contain an unvalidated command-line argument vulnerability that enables recursive deletion of arbitrary directories on the Windows filesystem. The application accepts an optional path argument to specify a custom data directory but only verifies if the path exists, without further validation. During application startup and exit, the ClearDrag() method invokes Directory.Delete(dir, true) on every subdirectory of the provided path, allowing unintended file system modifications.
The vulnerability can be exploited by any attacker who tricks a user into launching ADB Explorer via a malicious shortcut (.lnk file), batch script, or similar mechanism that passes a critical directory—such as C:\Users\%USERNAME%\Documents—as the command-line argument. This requires local access to create the malicious launcher but relies on user interaction (UI:R) with no privileges (PR:N). Successful exploitation results in permanent recursive deletion of all subdirectories within the targeted path, bypassing the Windows Recycle Bin and causing high integrity (I:H) and availability (A:H) impacts with a CVSS v3.1 base score of 7.1.
Mitigation is available in ADB Explorer version 0.9.26021, which addresses the issue through changes detailed in the project's GitHub commit (f7554690b1f68c6066c12aa45aec60303bca545b), release notes (v0.9.26021), and security advisory (GHSA-rg2h-2p33-rxcr). Security practitioners should advise users to update immediately and avoid launching the application from untrusted shortcuts or scripts. The vulnerability maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path).
Details
- CWE(s)