Path Traversal Vulnerability in Apache Lucene.Net by Apache
CVE-2026-47896

8.9HIGH

Key Information:

Vendor

Apache

Vendor
CVE Published:
3 July 2026

What is CVE-2026-47896?

A path traversal vulnerability exists within the Apache Lucene.Net.Replicator library, where improper limitations allow an attacker to navigate files and directories outside the intended scope. This issue impacts versions 4.8.0-beta00005 through 4.8.0-beta00017. Users are urged to upgrade to version 4.8.0-beta00018 to mitigate this vulnerability effectively.

Affected Version(s)

Apache Lucene.Net 4.8.0-beta00005 < 4.8.0-beta00018

References

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Daniel Cervera
Paul Irwin
Shad Storhaug
.