Improper XML External Entity Reference in Apache Lucene.Net Library
CVE-2026-47898

4MEDIUM

Key Information:

Vendor

Apache

Vendor
CVE Published:
3 July 2026

What is CVE-2026-47898?

A vulnerability in the Apache Lucene.Net.Analysis.Common library can lead to improper handling of XML External Entity references, potentially exposing applications to unauthorized data access. Affected versions are 4.8.0-beta00005 through 4.8.0-beta00017. Users are strongly advised to upgrade to version 4.8.0-beta00018 to mitigate this issue.

Affected Version(s)

Apache Lucene.Net 4.8.0-beta00005 < 4.8.0-beta00018

References

CVSS V4

Score:
4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Daniel Cervera
Paul Irwin
Shad Storhaug
.