CVE-2026-47897 PUBLISHED

Apache Lucene.Net: Arbitrary file write from malicious server to Lucene.Net.Replicator client

Assigner: apache
Reserved: 20.05.2026 Published: 03.07.2026 Updated: 03.07.2026

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library).

This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 before 4.8.0-beta00018.

Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:Y/RE:L
CVSS Score: 8.9

Product Status

Vendor Apache Software Foundation
Product Apache Lucene.Net
Versions Default: unaffected
  • affected from 4.8.0-beta00005 to 4.8.0-beta00018 (excl.)

Credits

  • Daniel Cervera reporter
  • Paul Irwin coordinator
  • Shad Storhaug remediation reviewer

References

Problem Types

  • CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE