CVE-2026-14966: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Black Lantern Security BBOT
BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted during a scan (for example via filedownload), bypassed the guard and caused an attacker-controlled symlink to be written into the extraction directory. The effect is limited to planting the symlink (its target is not written through), and only hosts using such a legacy p7zip build are affected; current mainline 7-Zip is not.
AI Analysis
Technical Summary
The BBOT unarchive module attempts to reject archives containing symlink entries before extraction to prevent link following issues. However, for zip and 7z archives produced by legacy p7zip versions, the module fails to detect symlinks that have a DOS-attribute prefix before the unix mode in their listing. This bypass allows an attacker to place a symlink controlled by them into the extraction directory during archive extraction, such as during a filedownload scan. The vulnerability is limited to planting the symlink itself; the symlink's target is not overwritten or written through. The issue only affects BBOT versions 2.3.1 through 2.8.6 on hosts using legacy p7zip builds. Current mainline 7-Zip versions are not affected. There is no vendor-provided patch or remediation guidance available at this time.
Potential Impact
An attacker can cause BBOT to write an attacker-controlled symlink into the extraction directory by exploiting improper detection of symlinks in certain archive formats. This could potentially be used to influence subsequent file operations that follow symlinks, but the vulnerability does not allow direct overwriting of symlink targets during extraction. The impact is limited to symlink planting and does not affect confidentiality or availability. The CVSS score is 3.1 (low severity), reflecting limited impact and the requirement for user interaction (UI:R) and high attack complexity (AC:H).
Mitigation Recommendations
No official patch or remediation level has been provided by the vendor. Since the vulnerability depends on using legacy p7zip builds that produce archives with a DOS-attribute prefix, avoiding such legacy archive formats or upgrading to current mainline 7-Zip versions may mitigate the risk. Monitor vendor advisories for any forthcoming patches or official guidance. No immediate action is mandated by the vendor at this time.
CVE-2026-14966: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Black Lantern Security BBOT
Description
BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted during a scan (for example via filedownload), bypassed the guard and caused an attacker-controlled symlink to be written into the extraction directory. The effect is limited to planting the symlink (its target is not written through), and only hosts using such a legacy p7zip build are affected; current mainline 7-Zip is not.
CVSS v3.1
Score 3.1low
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The BBOT unarchive module attempts to reject archives containing symlink entries before extraction to prevent link following issues. However, for zip and 7z archives produced by legacy p7zip versions, the module fails to detect symlinks that have a DOS-attribute prefix before the unix mode in their listing. This bypass allows an attacker to place a symlink controlled by them into the extraction directory during archive extraction, such as during a filedownload scan. The vulnerability is limited to planting the symlink itself; the symlink's target is not overwritten or written through. The issue only affects BBOT versions 2.3.1 through 2.8.6 on hosts using legacy p7zip builds. Current mainline 7-Zip versions are not affected. There is no vendor-provided patch or remediation guidance available at this time.
Potential Impact
An attacker can cause BBOT to write an attacker-controlled symlink into the extraction directory by exploiting improper detection of symlinks in certain archive formats. This could potentially be used to influence subsequent file operations that follow symlinks, but the vulnerability does not allow direct overwriting of symlink targets during extraction. The impact is limited to symlink planting and does not affect confidentiality or availability. The CVSS score is 3.1 (low severity), reflecting limited impact and the requirement for user interaction (UI:R) and high attack complexity (AC:H).
Mitigation Recommendations
No official patch or remediation level has been provided by the vendor. Since the vulnerability depends on using legacy p7zip builds that produce archives with a DOS-attribute prefix, avoiding such legacy archive formats or upgrading to current mainline 7-Zip versions may mitigate the risk. Monitor vendor advisories for any forthcoming patches or official guidance. No immediate action is mandated by the vendor at this time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- BLSOPS
- Date Reserved
- 2026-07-07T15:14:09.717Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4e73c0c9d9e3dbe3604277
Added to database: 07/08/2026, 15:58:56 UTC
Last enriched: 07/08/2026, 16:15:30 UTC
Last updated: 07/09/2026, 00:27:39 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.