๐Ÿ” CVE Alert

CVE-2026-26032

MEDIUM 5.4

Apache Ivy: PackagerResolver path traversal vulnerability

CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th

The PackagerResolver of Apache Ivy is able to download online artifacts and to (re)package them in a format defined by a packager.xml file. This repackaging is done by an Ant script, which is stored in a subdirectory of the configured "buildRoot" directory. This subdirectory is calculated based on modules coordinates, like the organisation, name or version. If one of the coordinates contains "../" sequences - which are valid characters for Ivy coordinates in general- it is possible to break out of the configured "buildRoot" directory where other files can be overwritten. In order to exploit this vulnerability an attacker needs to have access to a packager repository and add or modify the coordinates in ivy.xml files to have such "../" sequences. Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.

CWE CWE-22
Vendor apache software foundation
Product apache ivy
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache ivy

Be the first to know when new medium vulnerabilities affecting apache software foundation apache ivy are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Apache Software Foundation / Apache Ivy
2.0.0 โ‰ค 2.5.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
lists.apache.org: https://lists.apache.org/thread/4d9dzrlnoplvywnyj9x6w84kxg7n3jyq openwall.com: http://www.openwall.com/lists/oss-security/2026/07/15/5

Credits

๐Ÿ” yudeshui of dhgate security