πŸ” Search

Found 9 results for "Tika"

Showing 1 - 9 of 9 results

πŸ”’ CVE CRITICAL CVSS: 9.8 β€’ May 29, 2026

CVE-2026-44649

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authenTikauth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0.

EPSS: 0.1%
πŸ”’ CVE CRITICAL CVSS: 9.8 β€’ April 06, 2017

CVE-2016-6809

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

EPSS: 7.0%
πŸ”’ CVE HIGH CVSS: 8.4 β€’ December 04, 2025

CVE-2025-66516

Critical XXE in Apache Tika Tika-core (1.13-3.2.1), Tika-pdf-module (2.0.0-3.2.1) and Tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as inΒ CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the Tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in Tika-core. Users who upgraded the Tika-parser-pdf-module but did not upgrade Tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.Tika:Tika-parsers" module.

EPSS: 1.6%
πŸ”’ CVE HIGH CVSS: 8.4 β€’ August 20, 2025

CVE-2025-54988

Critical XXE in Apache Tika (Tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the Tika-parser-pdf-module is used as a dependency in several Tika packages including at least: Tika-parsers-standard-modules, Tika-parsers-standard-package, Tika-app, Tika-grpc and Tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

EPSS: 0.0%
πŸ”’ CVE HIGH CVSS: 7.8 β€’ September 30, 2017

CVE-2016-4434

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

EPSS: 0.4%
πŸ”’ CVE MEDIUM CVSS: 6.5 β€’ September 16, 2025

CVE-2025-8057

Authorization Bypass Through User-Controlled Key, Externally Controlled Reference to a Resource in Another Sphere, Improper Authorization vulnerability in PaTika Global Technologies HumanSuite allows Exploiting Trust in Client. This issue affects HumanSuite: before 53.21.0.

EPSS: 0.1%
πŸ”’ CVE MEDIUM CVSS: 5.3 β€’ December 15, 2016

CVE-2015-3271

Apache Tika server (aka Tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header.

EPSS: 1.1%
πŸ”’ CVE MEDIUM CVSS: 4.3 β€’ March 27, 2026

CVE-2025-59031

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided script, instead, use something else like FTS Tika. No publicly available exploits are known.

EPSS: 0.0%
πŸ”’ CVE MEDIUM CVSS: 4.3 β€’ September 16, 2025

CVE-2025-8276

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Encoding or Escaping of Output, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in PaTika Global Technologies HumanSuite allows Cross-Site Scripting (XSS), Phishing. This issue affects HumanSuite: before 53.21.0.

EPSS: 0.0%