CVE-2026-23879: py7zr: Arbitrary File Write Vulnerability

June 19, 2026

There exists an arbitrary file write vulnerability in py7zr (1.1.0, latest), which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links, linking them to arbitrary directories on the host file system. Subsequent extraction of regular files through these symbolic links can result in arbitrary file writes. This vulnerability may lead to remote code execution, privilege escalation, data corruption, or denial of service.

References

github.com/advisories/GHSA-q6rc-2cgv-63h7
github.com/miurahr/py7zr/releases/tag/v1.1.3
github.com/miurahr/py7zr/security/advisories/GHSA-q6rc-2cgv-63h7
nvd.nist.gov/vuln/detail/CVE-2026-23879

Code Behaviors & Features

Detect and mitigate CVE-2026-23879 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →