Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d356cd8e-75f9-2a92-a42b-cc7385d13c05@apache.org>
Date: Thu, 02 Jul 2026 23:00:31 +0000
From: Paul Irwin <paulirwin@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-47896: Apache Lucene.Net: Unauthenticated arbitrary file
 read on the Lucene.Net.Replicator replication server 

Severity: 

Affected versions:

- Apache Lucene.Net (Lucene.Net.Replicator) 4.8.0-beta00005 before 4.8.0-beta00018

Description:

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library).

This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 through 4.8.0-beta00017.

Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.

Credit:

Daniel Cervera (reporter)
Paul Irwin (coordinator)
Shad Storhaug (remediation reviewer)

References:

https://lucenenet.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-47896

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.