Arbitrary File Write Vulnerability in py7zr Library by miurahr
CVE-2026-23879
8HIGH
What is CVE-2026-23879?
The py7zr library, a Python-based tool for handling 7zip archives, is affected by a vulnerability that enables arbitrary file writes due to improper handling of symbolic links. This flaw allows attackers to exploit crafted malicious archives, leading to the recreation of symbolic links outside intended directories. When extracting files, the library fails to verify the complete symlink path, bypassing directory restrictions. As a result, attackers can manipulate the system by extracting files to arbitrary locations, potentially leading to compromising the host system, privilege escalation, data corruption, or denial of service. The vulnerability has been resolved in version 1.1.3.
Affected Version(s)
py7zr < 1.1.3
