Path Traversal Vulnerability in Apache Lucene.Net by Apache
CVE-2026-47897

8.9HIGH

Key Information:

Vendor

Apache

Vendor
CVE Published:
3 July 2026

What is CVE-2026-47897?

A path traversal vulnerability exists in the Apache Lucene.Net Replicator library, compromising the integrity of file handling. This weakness allows attackers to manipulate pathnames, potentially accessing arbitrary directories on the server. Affected versions range from 4.8.0-beta00005 to 4.8.0-beta00017. Users are encouraged to upgrade to version 4.8.0-beta00018 or later to mitigate the risk associated with this vulnerability.

Affected Version(s)

Apache Lucene.Net 4.8.0-beta00005 < 4.8.0-beta00018

References

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Daniel Cervera
Paul Irwin
Shad Storhaug
.