CVE-2026-45384

MEDIUM 6.1

bit7z: Arbitrary File Overwrite via Symlink Attack on Predictable Temp File During Archive Update

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in version 4.0.12.

CWE	CWE-59 CWE-377
Vendor	rikyoz
Product	bit7z
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for rikyoz bit7z

Be the first to know when new medium vulnerabilities affecting rikyoz bit7z are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Affected Versions

rikyoz / bit7z

< 4.0.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/rikyoz/bit7z/security/advisories/GHSA-wjch-42rm-q53h github.com: https://github.com/rikyoz/bit7z/releases/tag/v4.0.12