CVE-2026-45384

Published: Jun 10, 2026Modified: Jun 11, 2026Deferred

6.1

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Exploitability: 1.8 / Impact: 4.2

Source: security-advisories@github.com (Secondary)

Description

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in version 4.0.12.

Related CWEs

CWE-377

Insecure Temporary File

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (3)

https://github.com/rikyoz/bit7z/releases/tag/v4.0.12

Source: security-advisories@github.com

https://github.com/rikyoz/bit7z/security/advisories/GHSA-wjch-42rm-q53h

Source: security-advisories@github.com

https://github.com/rikyoz/bit7z/security/advisories/GHSA-wjch-42rm-q53h

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.