If you use WinRAR, go check its version right now
WinRAR has sat on millions of PCs for decades, quietly unpacking downloads and email attachments. It also has a habit that just turned into a liability: it never updates itself. A flaw disclosed this month, CVE-2026-14191, means an out-of-date copy can be turned against you by nothing more than a rigged archive.
The bug is in how WinRAR handles RAR5 recovery volumes - the .rev files meant to repair a damaged archive. An attacker can craft a set of them that makes WinRAR write data outside the memory it's allowed to touch, and under the right conditions that lets them run their own code on your machine. This isn't hypothetical: a WinRAR hole patched last year was seized on by state-backed hackers within weeks, precisely because so many people never install the fix.
The patch here is WinRAR 7.23, and it's free - but you have to go and get it, because WinRAR won't prompt you. Open the program, click Help > About WinRAR to see your version, and if it's older than 7.23, download the new one from win-rar.com and install it over the top. While you're at it, keep treating archives from people you don't know the way you'd treat any surprise attachment, and don't open them.
Apps that don't update themselves are the ones that quietly fall behind and become a way in. Tendvane's app-update tool checks the software on your PC against Windows' own package manager (winget) and flags the ones running old, vulnerable versions - so a program like WinRAR doesn't sit forgotten at a release from years ago.