Arbitrary File Write Vulnerability in py7zr Library by miurahr
CVE-2026-23879

8HIGH

Key Information:

Vendor

Miurahr

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-23879?

The py7zr library, a Python-based tool for handling 7zip archives, is affected by a vulnerability that enables arbitrary file writes due to improper handling of symbolic links. This flaw allows attackers to exploit crafted malicious archives, leading to the recreation of symbolic links outside intended directories. When extracting files, the library fails to verify the complete symlink path, bypassing directory restrictions. As a result, attackers can manipulate the system by extracting files to arbitrary locations, potentially leading to compromising the host system, privilege escalation, data corruption, or denial of service. The vulnerability has been resolved in version 1.1.3.

Affected Version(s)

py7zr < 1.1.3

References

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.