Skip to main content

Ivy

4 CVEs product

Monthly

CVE-2026-26032 MEDIUM This Month

Path traversal in Apache Ivy's PackagerResolver (versions 2.0.0 through 2.5.3) allows an attacker with write access to a packager repository to overwrite arbitrary files outside the configured buildRoot directory by embedding '../' sequences in module coordinates such as organisation, name, or revision. The overwrite occurs during the Ant-script-driven repackaging phase that PackagerResolver triggers on artifact download. No public exploit code has been identified at time of analysis, and the vendor has released version 2.6.0 as the fix, confirmed via the Apache Ant project site on July 14, 2026.

Apache Path Traversal Ivy
NVD VulDB
CVSS 3.1
5.4
EPSS
0.6%
CVE-2023-41938 Maven MEDIUM This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Ivy
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-37866 Maven HIGH PATCH This Week

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ivy
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-37865 Maven CRITICAL PATCH Act Now

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ivy
NVD
CVSS 3.1
9.1
EPSS
1.8%
EPSS 1% CVSS 5.4
MEDIUM This Month

Path traversal in Apache Ivy's PackagerResolver (versions 2.0.0 through 2.5.3) allows an attacker with write access to a packager repository to overwrite arbitrary files outside the configured buildRoot directory by embedding '../' sequences in module coordinates such as organisation, name, or revision. The overwrite occurs during the Ant-script-driven repackaging phase that PackagerResolver triggers on artifact download. No public exploit code has been identified at time of analysis, and the vendor has released version 2.6.0 as the fix, confirmed via the Apache Ant project site on July 14, 2026.

Apache Path Traversal Ivy
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins CSRF Ivy
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ivy
NVD
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ivy
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy