Symlink Vulnerability in BBOT's Unarchive Module
CVE-2026-14966
3.1LOW
What is CVE-2026-14966?
The BBOT Unarchive Module contains a vulnerability where its handling of zip and 7z archives does not adequately reject symlink entries prefixed by DOS attributes. This issue occurs particularly when legacy versions of p7zip are utilized, enabling an attacker to create and execute malicious symlinks during the extraction process. Although the symlink itself can be planted, the actual target is not created or written to the system. This vulnerability primarily affects users of outdated p7zip builds, while those using current versions of 7-Zip remain secure.
Affected Version(s)
BBOT 2.3.1 <= 2.8.6
