Skip to main content

Apache Lucene.Net EUVDEUVD-2026-41517

| CVE-2026-47898 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
4.0
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
4.0 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.5 HIGH

Network vector for typical API/web deployment; PR:L because supplying XML patterns to PatternParser generally requires at least application-level access; S:C and C:H for cross-boundary file read; A:L for potential entity-expansion DoS.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 03, 2026 - 09:01 EUVD
CVSS changed
Jul 03, 2026 - 08:22 NVD
4.0 (MEDIUM)
Analysis Generated
Jul 03, 2026 - 02:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

XML External Entity injection in Apache Lucene.Net's PatternParser component (Lucene.Net.Analysis.Common library) allows attackers who can supply XML input to the parser to read arbitrary files from the host filesystem or trigger server-side request forgery. Affected deployments span versions 4.8.0-beta00005 through 4.8.0-beta00017. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply malicious XML with external entity
Exploit
PatternParser resolves entity reference
Execution
Access local filesystem via file:// URI
Impact
Exfiltrate file contents through application response

Vulnerability AssessmentAI

Exploitation Exploitation requires that attacker-controlled or attacker-influenced XML content reaches a PatternParser instance within the application. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No NVD CVSS vector or score was provided with this CVE, requiring independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can submit XML-formatted pattern definitions to an application that passes them to PatternParser constructs a document containing an external entity referencing a sensitive file (e.g., /etc/passwd, web.config, or an internal cloud metadata endpoint). When PatternParser processes the document without entity resolution restrictions, the parser fetches and includes the file content, which the attacker can then observe via application output or error messages. …
Remediation Upgrade Lucene.Net.Analysis.Common to version 4.8.0-beta00018, which is the vendor-confirmed patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41517 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy