Directory Traversal Vulnerability in Apache Ivy Affects Major Versions
CVE-2026-26032
5.4MEDIUM
What is CVE-2026-26032?
The PackagerResolver of Apache Ivy allows an attacker to exploit a directory traversal issue. By manipulating Ivy coordinates containing '../' sequences in ivy.xml files, an attacker with access to a packager repository can break out of the specified 'buildRoot' directory and potentially overwrite other files. This vulnerability affects Apache Ivy versions 2.0.0 through 2.5.3, and users should upgrade to version 2.6.0 to mitigate the risk.
Affected Version(s)
Apache Ivy 2.0.0 <= 2.5.3