CVE-2026-26032
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-22
Limitación incorrecta de nombre de ruta a un directorio restringido (Path Traversal)
Fecha de publicación:
15/07/2026
Última modificación:
16/07/2026
Descripción
*** Pendiente de traducción *** The PackagerResolver of Apache Ivy is able to download online<br />
artifacts and to (re)package them in a format defined by a<br />
packager.xml file. This repackaging is done by an Ant script, which is<br />
stored in a subdirectory of the configured "buildRoot" directory. This<br />
subdirectory is calculated based on modules coordinates, like the<br />
organisation, name or version.<br />
<br />
If one of the coordinates contains "../" sequences - which are valid<br />
characters for Ivy coordinates in general- it is possible to break out<br />
of the configured "buildRoot" directory where other files can be<br />
overwritten.<br />
<br />
In order to exploit this vulnerability an attacker needs to have<br />
access to a packager repository and add or modify the coordinates in<br />
ivy.xml files to have such "../" sequences.<br />
<br />
Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.
Impacto
Puntuación base 3.x
5.40
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:apache:ivy:*:*:*:*:*:*:*:* | 2.0.0 (incluyendo) | 2.6.0 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



