{"id":"CVE-2026-47897","summary":"Apache Lucene.Net: Arbitrary file write from malicious server to Lucene.Net.Replicator client","details":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library).\n\nThis issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 before 4.8.0-beta00018.\n\nUsers are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.","modified":"2026-07-15T01:48:56.705800882Z","published":"2026-07-03T07:48:11.367Z","database_specific":{"cna_assigner":"apache","cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47897.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"4.8.0-beta00005"},{"fixed":"4.8.0-beta00018"}]},{"extracted_events":[{"introduced":"4.8.0-beta00005"},{"fixed":"4.8.0-beta00018"}],"source":"DESCRIPTION"}]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/07/03/2"},{"type":"WEB","url":"https://www.nuget.org"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47897.json"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/on1j3zmvgtf8n9fw78z3lyf6dn94p5zc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47897"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/lucenenet","events":[{"introduced":"ffbe9c3f90297dfbae11c8a3b1dad475821f46b3"},{"last_affected":"5784b18a4c11c847bc2c962b7c4cd6d072b5b2a8"}],"database_specific":{"cpe":["cpe:2.3:a:apache:lucene.net:4.8.0:beta00005:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00006:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00007:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00008:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00009:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00010:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00011:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00012:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00013:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00014:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00015:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00016:*:*:*:*:*:*","cpe:2.3:a:apache:lucene.net:4.8.0:beta00017:*:*:*:*:*:*"],"extracted_events":[{"introduced":"4.8.0-beta00005"},{"last_affected":"4.8.0-beta00005"},{"introduced":"4.8.0-beta00006"},{"last_affected":"4.8.0-beta00006"},{"introduced":"4.8.0-beta00007"},{"last_affected":"4.8.0-beta00007"},{"introduced":"4.8.0-beta00008"},{"last_affected":"4.8.0-beta00008"},{"introduced":"4.8.0-beta00009"},{"last_affected":"4.8.0-beta00009"},{"introduced":"4.8.0-beta00010"},{"last_affected":"4.8.0-beta00010"},{"introduced":"4.8.0-beta00011"},{"last_affected":"4.8.0-beta00011"},{"introduced":"4.8.0-beta00012"},{"last_affected":"4.8.0-beta00012"},{"introduced":"4.8.0-beta00013"},{"last_affected":"4.8.0-beta00013"},{"introduced":"4.8.0-beta00014"},{"last_affected":"4.8.0-beta00014"},{"introduced":"4.8.0-beta00015"},{"last_affected":"4.8.0-beta00015"},{"introduced":"4.8.0-beta00016"},{"last_affected":"4.8.0-beta00016"},{"introduced":"4.8.0-beta00017"},{"last_affected":"4.8.0-beta00017"}],"source":"CPE_STRING"}}],"versions":["4.8.0-beta00005","4.8.0-beta00006","4.8.0-beta00007","4.8.0-beta00008","4.8.0-beta00009","4.8.0-beta00010","4.8.0-beta00011","4.8.0-beta00012","4.8.0-beta00013","4.8.0-beta00014","4.8.0-beta00015","4.8.0-beta00016","4.8.0-beta00017","Lucene.Net_4_8_0_beta00017","Lucene.Net_4_8_0_beta00016","Lucene.Net_4_8_0_beta00015","Lucene.Net_4_8_0_beta00014","Lucene.Net_4_8_0_beta00013","Lucene.Net_4_8_0_beta00012","Lucene.Net_4_8_0_beta00011","Lucene.Net_4_8_0_beta00010","Lucene.Net_4_8_0_beta00009","Lucene.Net_4_8_0_beta00008","Lucene.Net_4_8_0_beta00007","Lucene.Net_4_8_0_beta00006","Lucene.Net_4_8_0_beta00005"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47897.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:Y/RE:L"}]}