CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-14966

lowCVSS 3.1covered by 1 sourcefirst seen 2026-07-08
BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted during a scan (for example via filedownload), bypassed the guard and caused an attacker-controlled symlink to be written into the extraction directory. The effect is limited to planting the symlink (its target is not written through), and only hosts using such a legacy p7zip build are affected; current mainline 7-Zip is not.

⚡ Watch CVE-2026-14966

Get an email if CVE-2026-14966 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-14966

CVE.org record

Embed the live status

CVE-2026-14966 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-14966 status](https://www.csirts.com/badge/CVE-2026-14966)](https://www.csirts.com/cve/CVE-2026-14966)