Skip to main content

BBOT EUVDEUVD-2026-42295

| CVE-2026-14966 LOW
Improper Link Resolution Before File Access (CWE-59)
2026-07-08 BLSOPS
3.1
CVSS 3.1 · Vendor: BLSOPS

Severity by source

Vendor (BLSOPS) PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
3.1 LOW

Network vector because attacker serves the archive remotely; AC:H due to hard legacy-p7zip prerequisite; UI:R for required user-initiated scan; I:L only as symlink is planted but not resolved.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (BLSOPS).

CVSS VectorVendor: BLSOPS

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 16:38 vuln.today

DescriptionCVE.org

BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted during a scan (for example via filedownload), bypassed the guard and caused an attacker-controlled symlink to be written into the extraction directory. The effect is limited to planting the symlink (its target is not written through), and only hosts using such a legacy p7zip build are affected; current mainline 7-Zip is not.

AnalysisAI

Symlink extraction bypass in BBOT's unarchive module allows an attacker to plant an attacker-controlled symlink into the extraction directory when BBOT scans and fetches a crafted zip or 7z archive. The bypass exploits BBOT's failure to detect symlink entries carrying a DOS-attribute prefix before the unix mode field, a format produced by legacy p7zip builds - a variant the pre-extraction guard did not account for. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts zip/7z with DOS-attribute symlink entry
Delivery
Hosts malicious archive on scan-target server
Exploit
BBOT scan fetches archive via filedownload
Execution
Unarchive module fails to detect obfuscated symlink
Persist
Symlink guard bypassed without raising exception
Impact
Attacker-controlled symlink written to extraction directory

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following to be true simultaneously: (1) the BBOT scan must be configured to use the filedownload (or equivalent) module so that it fetches and extracts remote archives, (2) the scanning host must have a legacy p7zip build installed - current mainline 7-Zip does not produce the triggering DOS-attribute-prefixed symlink format and is not affected, (3) the attacker must be able to serve a crafted zip or 7z archive to the scanner (e.g., by hosting it on a web server that falls within the scan's target scope), and (4) a user must actively initiate the BBOT scan (UI:R per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 base score of 3.1 (Low) is consistent with the narrow real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker places a specially crafted zip or 7z archive on a server within a BBOT scan's target scope, where the archive contains a symlink entry formatted with a DOS-attribute prefix as produced by legacy p7zip. When a security operator runs a BBOT scan that includes the filedownload module and the scanner fetches and extracts the archive, BBOT's symlink guard fails to detect the entry, writing an attacker-controlled symlink into the local extraction directory. …
Remediation Apply the upstream fix by updating BBOT to a version incorporating commit a3f1a2292e2b0a553827c6175b761abe28807735 (https://github.com/blacklanternsecurity/bbot/commit/a3f1a2292e2b0a553827c6175b761abe28807735). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42295 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy