highCVE-2026-47897

CVE-2026-47897 lucene.net vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library). This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 before 4.8.0-beta00018. Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.

Productlucene.net
CVSS8.9
EPSS0.00616
UpdatedJuly 14, 2026

Quick answer

apache lucene.net should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • before 4.8.0-beta00018

Fixed versions

  • 4.8.0-beta00018

How to fix it

CVE-2026-47897 affects Apache Lucene.Net. It may let an attacker read or touch files outside the intended path. Upgrade the affected Lucene.Net package to 4.8.0-beta00018.

  1. Find every .NET project that uses Apache Lucene.Net packages.
  2. Check NuGet package versions and lock files.
  3. Upgrade the affected Lucene.Net package to 4.8.0-beta00018.
  4. Rebuild and redeploy services that use Lucene.Net.
  5. Block untrusted replication data, paths, and XML input until patched.
  6. Review app logs for unexpected file paths or XML parser errors.
  7. Run tests for search, indexing, and replication workflows.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm NuGet resolves Lucene.Net packages to 4.8.0-beta00018 or newer.
  • Confirm old package versions are not present in lock files.
  • Retest indexing, search, and replication flows.
  • Confirm untrusted paths or XML payloads are rejected.
  • Save package and deployment evidence.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-47897?

apache lucene.net versions listed as affected should be reviewed: before 4.8.0-beta00018.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.