Skip to main content

Lucene Net

4 CVEs product

Monthly

CVE-2026-47898 MEDIUM PATCH This Month

XML External Entity injection in Apache Lucene.Net's PatternParser component (Lucene.Net.Analysis.Common library) allows attackers who can supply XML input to the parser to read arbitrary files from the host filesystem or trigger server-side request forgery. Affected deployments span versions 4.8.0-beta00005 through 4.8.0-beta00017. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the well-understood XXE attack class combined with the availability of a fix version makes patching straightforward and strongly advisable.

XXE Apache Lucene Net
NVD
CVSS 4.0
4.0
EPSS
0.1%
CVE-2026-47897 HIGH PATCH This Week

Path traversal in the Apache Lucene.Net.Replicator library (versions 4.8.0-beta00005 through 4.8.0-beta00017) allows a remote, unauthenticated attacker to read files outside the intended index-replication directory by supplying crafted pathnames during index synchronization. The flaw is a CWE-22 restricted-directory bypass confined to file disclosure; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the vendor-supplied CVSS 4.0 base score of 8.9 reflects high confidentiality impact across a scope boundary. Exploitation is gated by high attack complexity and specific attack requirements, making practical abuse less trivial than the raw score suggests.

Path Traversal Apache Lucene Net
NVD
CVSS 4.0
8.9
EPSS
0.4%
CVE-2026-47896 HIGH PATCH This Week

Path traversal (CWE-22) in the Apache Lucene.Net.Replicator library lets remote attackers read files outside the intended index directory by supplying crafted pathnames to the replication service, disclosing arbitrary server-side files. All releases from 4.8.0-beta00005 through 4.8.0-beta00017 are affected, and Apache fixed it in 4.8.0-beta00018. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 4.0 base score of 8.9 (High) reflects unauthenticated network access and high confidentiality impact including a subsequent-system scope change.

Path Traversal Apache Lucene Net
NVD
CVSS 4.0
8.9
EPSS
0.5%
CVE-2024-43383 NuGet HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization RCE Apache Authentication Bypass Lucene Net
NVD
CVSS 3.1
8.1
EPSS
1.2%
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

XML External Entity injection in Apache Lucene.Net's PatternParser component (Lucene.Net.Analysis.Common library) allows attackers who can supply XML input to the parser to read arbitrary files from the host filesystem or trigger server-side request forgery. Affected deployments span versions 4.8.0-beta00005 through 4.8.0-beta00017. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the well-understood XXE attack class combined with the availability of a fix version makes patching straightforward and strongly advisable.

XXE Apache Lucene Net
NVD
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Path traversal in the Apache Lucene.Net.Replicator library (versions 4.8.0-beta00005 through 4.8.0-beta00017) allows a remote, unauthenticated attacker to read files outside the intended index-replication directory by supplying crafted pathnames during index synchronization. The flaw is a CWE-22 restricted-directory bypass confined to file disclosure; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the vendor-supplied CVSS 4.0 base score of 8.9 reflects high confidentiality impact across a scope boundary. Exploitation is gated by high attack complexity and specific attack requirements, making practical abuse less trivial than the raw score suggests.

Path Traversal Apache Lucene Net
NVD
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Path traversal (CWE-22) in the Apache Lucene.Net.Replicator library lets remote attackers read files outside the intended index directory by supplying crafted pathnames to the replication service, disclosing arbitrary server-side files. All releases from 4.8.0-beta00005 through 4.8.0-beta00017 are affected, and Apache fixed it in 4.8.0-beta00018. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 4.0 base score of 8.9 (High) reflects unauthenticated network access and high confidentiality impact including a subsequent-system scope change.

Path Traversal Apache Lucene Net
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization RCE Apache +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy