{"id":"CVE-2026-14966","details":"BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted during a scan (for example via filedownload), bypassed the guard and caused an attacker-controlled symlink to be written into the extraction directory. The effect is limited to planting the symlink (its target is not written through), and only hosts using such a legacy p7zip build are affected; current mainline 7-Zip is not.","modified":"2026-07-15T07:30:12.432571Z","published":"2026-07-08T16:16:27.237Z","references":[{"type":"FIX","url":"https://github.com/blacklanternsecurity/bbot/commit/a3f1a2292e2b0a553827c6175b761abe28807735"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/blacklanternsecurity/bbot","events":[{"introduced":"0"},{"fixed":"a3f1a2292e2b0a553827c6175b761abe28807735"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v3.0.0.1386rc","v3.0.0.1349rc","v3.0.0.1345rc","v3.0.0.1343rc","v3.0.0.1333rc","v3.0.0.1317rc","v3.0.0.1313rc","v3.0.0.1304rc","v3.0.0.1274rc","v3.0.0.1271rc","v3.0.0.1254rc","v3.0.0.1190rc","v3.0.0.1184rc","v3.0.0.1173rc","v3.0.0.1153rc","v3.0.0.1141rc","v3.0.0.1139rc","v3.0.0.1137rc","v3.0.0.1079rc","v3.0.0.1070rc","v3.0.0.1068rc","v3.0.0.1064rc","v3.0.0.1062rc","v3.0.0.1056rc","v3.0.0.986rc","v3.0.0.903rc","v3.0.0.981rc","v3.0.0.909rc","v3.0.0.907rc","v3.0.0.897rc","v3.0.0.884rc","v3.0.0.876rc","v3.0.0.870rc","v3.0.0.858rc","v3.0.0.851rc","v3.0.0.849rc","v3.0.0.829rc","v3.0.0.836rc","v3.0.0.821rc","v3.0.0.819rc","v3.0.0.798rc","v3.0.0.795rc","v3.0.0.793rc","v3.0.0.786rc","v3.0.0.782rc","v3.0.0.773rc","v3.0.0.767rc","v3.0.0.765rc","v3.0.0.691rc","v3.0.0.673rc","v3.0.0.671rc","v3.0.0.669rc","v3.0.0.659rc","v3.0.0.654rc","v3.0.0.652rc","v3.0.0.649rc","v3.0.0.647rc","v","v3.0.0.0rc"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14966.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}