We just published three bugfix releases of Hibernate Search: 5.6.4.Final, 5.7.3.Final and 5.8.2.Final.
Those releases include in particular an upgrade of the Lucene dependency to 5.5.5,
which fixes CVE-2017-12629.
This vulnerability should only affect you if you use org.apache.lucene.queryparser.xml.CoreParser
and feed it with input from untrusted sources: this class is not used by Hibernate Search itself.
However, the upgrade is recommended even if you don’t use this class.