Apache Lucene.NET security advisories
Security information for Apache Lucene.NET
Reporting
Do you want disclose a potential security issue for Apache Lucene.NET? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
XXE vulnerability in Lucene.Net.Analysis.Common PatternParser
CVE-2026-47898 [CVE] [CVE json] [OSV json]
Last updated: 2026-07-03T07:47:36.852Z
Affected
- Apache Lucene.Net from 4.8.0-beta00005 before 4.8.0-beta00018
Description
Improper Restriction of XML External Entity Reference vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common library).
This issue affects Apache Lucene.Net.Analysis.Common: from 4.8.0-beta00005 before 4.8.0-beta00018.
Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.
References
Credits
- Daniel Cervera (reporter)
- Paul Irwin (coordinator)
- Shad Storhaug (remediation reviewer)
Arbitrary file write from malicious server to Lucene.Net.Replicator client
CVE-2026-47897 [CVE] [CVE json] [OSV json]
Last updated: 2026-07-03T07:48:10.017Z
Affected
- Apache Lucene.Net from 4.8.0-beta00005 before 4.8.0-beta00018
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library).
This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 before 4.8.0-beta00018.
Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.
References
Credits
- Daniel Cervera (reporter)
- Paul Irwin (coordinator)
- Shad Storhaug (remediation reviewer)
Unauthenticated arbitrary file read on the Lucene.Net.Replicator replication server
CVE-2026-47896 [CVE] [CVE json] [OSV json]
Last updated: 2026-07-03T07:48:34.009Z
Affected
- Apache Lucene.Net from 4.8.0-beta00005 before 4.8.0-beta00018
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library).
This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 through 4.8.0-beta00017.
Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.
References
Credits
- Daniel Cervera (reporter)
- Paul Irwin (coordinator)
- Shad Storhaug (remediation reviewer)
Remote Code Execution in Lucene.Net.Replicator
CVE-2024-43383 [CVE] [CVE json] [OSV json]
Last updated: 2024-10-31T09:57:26.362Z
Affected
- Apache Lucene.Net.Replicator from 4.8.0-beta00005 through 4.8.0-beta00016
Description
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.
This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.
An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.
Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.
References
Credits
- Summ3r, Vidar-Team (reporter)
- Apache Lucene (remediation developer)