Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-26032

The PackagerResolver of Apache Ivy is able to download online artifacts and to (re)package them in a format defined by a packager.xml file. This repackaging is done by an Ant script, which is stored in a subdirectory of the configured "buildRoot" directory. This subdirectory is calculated based on modules coordinates, like the organisation, name or version. If one of the coordinates contains "../" sequences - which are valid characters for Ivy coordinates in general- it is possible to break out of the configured "buildRoot" directory where other files can be overwritten. In order to exploit this vulnerability an attacker needs to have access to a packager repository and add or modify the coordinates in ivy.xml files to have such "../" sequences. Users of Apache Ivy 2.0.0 to 2.5.3 (inclusive) should upgrade to Ivy 2.6.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 43.9%
CVSS Severity
CVSS v3 Score 5.4
Products affected by CVE-2026-26032
  • Apache » Ivy » Version: 2.0.0
    cpe:2.3:a:apache:ivy:2.0.0
  • Apache » Ivy » Version: 2.1.0
    cpe:2.3:a:apache:ivy:2.1.0
  • Apache » Ivy » Version: 2.2.0
    cpe:2.3:a:apache:ivy:2.2.0
  • Apache » Ivy » Version: 2.3.0
    cpe:2.3:a:apache:ivy:2.3.0
  • Apache » Ivy » Version: 2.4.0
    cpe:2.3:a:apache:ivy:2.4.0
  • Apache » Ivy » Version: 2.5.0
    cpe:2.3:a:apache:ivy:2.5.0
  • Apache » Ivy » Version: 2.5.1
    cpe:2.3:a:apache:ivy:2.5.1
  • Apache » Ivy » Version: 2.5.2
    cpe:2.3:a:apache:ivy:2.5.2
  • Apache » Ivy » Version: 2.5.3
    cpe:2.3:a:apache:ivy:2.5.3


Contact Us

Shodan ® - All rights reserved