CVE-2026-23879

A flaw was found in py7zr. An attacker can craft a malicious archive containing symbolic links that, when extracted, can lead to arbitrary file writes outside the intended directory. This vulnerability may allow for remote code execution, privilege escalation, data corruption, or denial of servic...

CVE-2026-23879

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Versions 1.1.2 and below contain an an arbitrary file write vulnerability, which allows symbolic links to be recreated outside the destination directory via crafted malicious...

CVE-2026-23879 py7zr: Arbitrary File Write Vulnerability

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Versions 1.1.2 and below contain an an arbitrary file write vulnerability, which allows symbolic links to be recreated outside the destination directory via crafted malicious...

CVE-2026-23879

CVE-2026-23879 relates to py7zr, a Python library for 7z archives. Versions ≤1.1.2 contain an arbitrary file write vulnerability in extractall, where crafted symbolic link chains can bypass destination-directory checks and re-create links to arbitrary system paths. This allows writing files via s...

OPENSUSE-SU-2026:11112-1 python311-py7zr-1.1.3-1.1 on GA media

These are all security issues fixed in the python311-py7zr-1.1.3-1.1 package on the GA media of openSUSE Tumbleweed...

py7zr: Arbitrary File Write Vulnerability

Summary There exists an arbitrary file write vulnerability in py7zr 1.1.0, latest, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links,...

Symlink Attack

Overview py7zr is a Pure python 7-zip library Affected versions of this package are vulnerable to Symlink Attack in the extractall method. An attacker can overwrite arbitrary files on the host system by crafting malicious archives containing symbolic link chains that escape the intended extractio...

CVE-2026-23879

creationtimestamp| type| source ---|---|--- 2026-06-19 09:31:59+00:00| published-proof-of-concept| https://github.com/miurahr/py7zr/security/advisories/GHSA-q6rc-2cgv-63h7 2026-06-24 22:16:45+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mp2wxlnzkj2d 2026-06-24 23:14:35+00:00|...

PT-2026-51097

Name of the Vulnerable Software and Affected Versions py7zr versions prior to 0.22.1 Description The Worker.decompress function in py7zr/worker.py extracts archive entries without tracking the total decompressed size. This allows a specially crafted .7z file to cause disk or memory exhaustion...

EUVD-2025-7018

Malicious code in bioql PyPI...

CVE-2022-44900

A directory traversal vulnerability in the SevenZipFile.extractall function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file...

CVE-2024-12389 Path Traversal in binary-husky/gpt_academic

A path traversal vulnerability exists in binary-husky/gptacademic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction...

USN-7030-1: py7zr vulnerability

It was discovered that py7zr was vulnerable to path traversal attacks. If a user or automated system were tricked into extracting a specially crafted 7z archive, an attacker could possibly use this issue to write arbitrary files outside the target directory on the host...

Ubuntu 22.04 LTS : py7zr vulnerability (USN-7030-1)

The remote Ubuntu 22.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-7030-1 advisory. It was discovered that py7zr was vulnerable to path traversal attacks. If a user or automated system were tricked into extracting a specially crafted 7z archive, ...

Debian: Security Advisory (DSA-5652-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] [DSA 5652-1] py7zr security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5652-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 02, 2024 https://www.debian.org/security/faq -...

Directory Traversal

py7zr is vulnerable to directory traversal. The vulnerability exists in the SevenZipFile.extractall function of py7zr.py due to a lack of sanity checks in paths which allows an attacker to traverse through the file system...

py7zr 0.20.0 Directory Traversal Vulnerability

CVE-2022-44900: path traversal vulnerability in py7zr Directory traversal vulnerability in SevenZipFile.extractall function of the python library py7zr version 0.20.0 and earlier allow attackers to read arbitrary files on the local machine via malicious 7z file extraction. CVE-2022-44900...

py7zr 0.20.0 Directory Traversal

CVE-2022-44900: path traversal vulnerability in py7zr Directory traversal vulnerability in SevenZipFile.extractall function of the python library py7zr version 0.20.0 and earlier allow attackers to read arbitrary files on the local machine via malicious 7z file extraction. CVE-2022-44900...

aqtinstall (=0.9.8), brevettiai (>=0.5.4 <=0.8.5) +19 more potentially affected by CVE-2022-44900 via py7zr (>=0.10.2 <=0.18.5)

py7zr PYPI version =0.10.2, =0.5.4, =0.1.0, =1.1.1.dev1, =1.2.0, =1.1.6, =0.1.0, =1.0.0, =1.1.1, =0.2.6, =2.0.0, =0.2.8, =4.6.0.dev1 and more Source cves: CVE-2022-44900 Source advisory: OSV:GHSA-M8XW-9X5X-6VH3...