The vulnerability resides in the ZIP extraction logic used by OneCommander. During the extraction process, the application fails to validate archive entry paths, allowing relative directory traversal sequences such as ../../AppData/ to be passed directly to the file system. This behavior results from insufficient path validation in both the underlying SevenZipSharp library and the application.
An attacker can exploit this behavior to extract malicious files into the user’s Startup folder, enabling arbitrary code execution when the system is boots.
The vendor resolved the issue by completely removing the ZIP extraction feature from OneCommander. The fix is included in versions 3.103.0 (Standalone) and 3.102.1 (Microsoft Store).