CVE-2026-23879

Name of the Vulnerable Software and Affected Versions py7zr version 1.1.0

Description An arbitrary file write issue exists when using the extractall() function to extract an archive. The software fails to properly restrict the targets of symbolic links, allowing crafted malicious symbolic link chains to be recreated outside the destination directory. By bypassing directory boundary restrictions, the library restores symbolic links that point to arbitrary directories on the host file system. Subsequent extraction of regular files through these links enables writing files to arbitrary paths, which may lead to remote code execution, privilege escalation, data corruption, or denial of service.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.