CVE-2026-23879

Source
https://cve.org/CVERecord?id=CVE-2026-23879
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23879.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23879
Aliases
Downstream
Related
Published
2026-06-24T19:17:28.605Z
Modified
2026-07-13T16:43:11.927099835Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
py7zr: Arbitrary File Write Vulnerability
Details

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Versions 1.1.2 and below contain an an arbitrary file write vulnerability, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links, linking them to arbitrary directories on the host file system. During extraction, the program only checks the link arcname within the destination directory, but ignores the combined symlink path resolution. Attackers can exploit this vulnerability by constructing malicious archives, thereby bypassing the directory boundary restrictions implemented by the extractor. Subsequent extraction of regular files through these symbolic links can result in arbitrary file writes. This vulnerability may lead to remote code execution, privilege escalation, data corruption, or denial of service. This issue has been fixed in version 1.1.3.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-59"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23879.json"
}
References

Affected packages

Git / github.com/miurahr/py7zr

Affected ranges

Type
GIT
Repo
https://github.com/miurahr/py7zr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.1.3"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.10.0a1
v0.10.1
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.12.0
v0.13.0
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.18.0
v0.18.1
v0.18.3
v0.18.4
v0.18.5
v0.18.6
v0.18.7
v0.18.9
v0.2.0
v0.20.0
v0.20.1
v0.20.2
v0.20.4
v0.20.5
v0.20.6
v0.20.7
v0.20.8
v0.21.0
v0.21.1
v0.22.0
v0.3
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4a1
v0.4a2
v0.4b1
v0.5a1
v0.5a2
v0.5a3
v0.5a4
v0.5b1
v0.5b2
v0.5b3
v0.5b4
v0.5b5
v0.5b6
v0.6
v0.6a1
v0.6a2
v0.6b1
v0.6b2
v0.6b3
v0.6b4
v0.6b5
v0.6b6
v0.6b7
v0.6b8
v0.6rc
v0.7.0
v0.7.0b1
v0.7.0b2
v0.7.0b3
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.0a1
v0.8.0a2
v0.8.0a3
v0.8.0b1
v0.8.0b2
v0.8.0b3
v0.8.0b4
v0.8.0b5
v0.8.0b6
v0.8.0b7
v0.8.0b8
v0.9.0
v0.9.0a1
v0.9.0a2
v0.9.0b1
v0.9.0b2
v0.9.0b3
v0.9.1
v0.9.2
v1.*
v1.0.0-rc1
v1.0.0rc2
v1.0.0rc3
v1.1.0
v1.1.0rc2
v1.1.0rc3
v1.1.0rc4
v1.1.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23879.json"