Symlink Vulnerability in BBOT's Unarchive Module
CVE-2026-14966

3.1LOW

Key Information:

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-14966?

The BBOT Unarchive Module contains a vulnerability where its handling of zip and 7z archives does not adequately reject symlink entries prefixed by DOS attributes. This issue occurs particularly when legacy versions of p7zip are utilized, enabling an attacker to create and execute malicious symlinks during the extraction process. Although the symlink itself can be planted, the actual target is not created or written to the system. This vulnerability primarily affects users of outdated p7zip builds, while those using current versions of 7-Zip remain secure.

Affected Version(s)

BBOT 2.3.1 <= 2.8.6

References

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.