CVE-2026-47897 lucene.net vulnerability
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library). This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 before 4.8.0-beta00018. Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.
Quick answer
apache lucene.net should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- before 4.8.0-beta00018
Fixed versions
- 4.8.0-beta00018
How to fix it
CVE-2026-47897 affects Apache Lucene.Net. It may let an attacker read or touch files outside the intended path. Upgrade the affected Lucene.Net package to 4.8.0-beta00018.
- Find every .NET project that uses Apache Lucene.Net packages.
- Check NuGet package versions and lock files.
- Upgrade the affected Lucene.Net package to 4.8.0-beta00018.
- Rebuild and redeploy services that use Lucene.Net.
- Block untrusted replication data, paths, and XML input until patched.
- Review app logs for unexpected file paths or XML parser errors.
- Run tests for search, indexing, and replication workflows.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm NuGet resolves Lucene.Net packages to 4.8.0-beta00018 or newer.
- Confirm old package versions are not present in lock files.
- Retest indexing, search, and replication flows.
- Confirm untrusted paths or XML payloads are rejected.
- Save package and deployment evidence.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-47897?
apache lucene.net versions listed as affected should be reviewed: before 4.8.0-beta00018.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
