CVE-2026-14966

Source
https://cve.org/CVERecord?id=CVE-2026-14966
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14966.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-14966
Published
2026-07-08T16:16:27.237Z
Modified
2026-07-15T07:30:12.432571Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted during a scan (for example via filedownload), bypassed the guard and caused an attacker-controlled symlink to be written into the extraction directory. The effect is limited to planting the symlink (its target is not written through), and only hosts using such a legacy p7zip build are affected; current mainline 7-Zip is not.

References

Affected packages

Git / github.com/blacklanternsecurity/bbot

Affected ranges

Type
GIT
Repo
https://github.com/blacklanternsecurity/bbot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

Other
v
v3.*
v3.0.0.0rc
v3.0.0.1056rc
v3.0.0.1062rc
v3.0.0.1064rc
v3.0.0.1068rc
v3.0.0.1070rc
v3.0.0.1079rc
v3.0.0.1137rc
v3.0.0.1139rc
v3.0.0.1141rc
v3.0.0.1153rc
v3.0.0.1173rc
v3.0.0.1184rc
v3.0.0.1190rc
v3.0.0.1254rc
v3.0.0.1271rc
v3.0.0.1274rc
v3.0.0.1304rc
v3.0.0.1313rc
v3.0.0.1317rc
v3.0.0.1333rc
v3.0.0.1343rc
v3.0.0.1345rc
v3.0.0.1349rc
v3.0.0.1386rc
v3.0.0.647rc
v3.0.0.649rc
v3.0.0.652rc
v3.0.0.654rc
v3.0.0.659rc
v3.0.0.669rc
v3.0.0.671rc
v3.0.0.673rc
v3.0.0.691rc
v3.0.0.765rc
v3.0.0.767rc
v3.0.0.773rc
v3.0.0.782rc
v3.0.0.786rc
v3.0.0.793rc
v3.0.0.795rc
v3.0.0.798rc
v3.0.0.819rc
v3.0.0.821rc
v3.0.0.829rc
v3.0.0.836rc
v3.0.0.849rc
v3.0.0.851rc
v3.0.0.858rc
v3.0.0.870rc
v3.0.0.876rc
v3.0.0.884rc
v3.0.0.897rc
v3.0.0.903rc
v3.0.0.907rc
v3.0.0.909rc
v3.0.0.981rc
v3.0.0.986rc

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14966.json"