πŸ” Search

Found 4 results for "Tika"

Showing 1 - 4 of 4 results

πŸ”’ CVE HIGH CVSS: 8.4 β€’ December 04, 2025

CVE-2025-66516

Critical XXE in Apache Tika Tika-core (1.13-3.2.1), Tika-pdf-module (2.0.0-3.2.1) and Tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as inΒ CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the Tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in Tika-core. Users who upgraded the Tika-parser-pdf-module but did not upgrade Tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.Tika:Tika-parsers" module.

EPSS: 1.5%
πŸ”’ CVE HIGH CVSS: 8.4 β€’ August 20, 2025

CVE-2025-54988

Critical XXE in Apache Tika (Tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the Tika-parser-pdf-module is used as a dependency in several Tika packages including at least: Tika-parsers-standard-modules, Tika-parsers-standard-package, Tika-app, Tika-grpc and Tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

EPSS: 0.0%
πŸ”’ CVE MEDIUM CVSS: 4.3 β€’ March 27, 2026

CVE-2025-59031

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS Tika. No publicly available exploits are known.

EPSS: 0.0%
πŸ”’ CVE MEDIUM CVSS: 4.3 β€’ September 16, 2025

CVE-2025-8276

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Encoding or Escaping of Output, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in PaTika Global Technologies HumanSuite allows Cross-Site Scripting (XSS), Phishing.This issue affects HumanSuite: before 53.21.0.

EPSS: 0.0%