Apache Tika - XML External Entity Injection

Apache Tika tika-core 1.13-3.2.1, tika-pdf-module 2.0.0-3.2.1, and tika-parsers 1.13-1.28.5 contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input. id: CVE-2025-66516 info: nam...

Apache Tika < 1.1.8 - Header Command Injection

Apache Tika versions 1.7 to 1.17 allow clients to send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. i...

Ubuntu 20.04 LTS / 22.04 LTS : Apache Tika vulnerabilities (USN-8324-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8324-1 advisory. It was discovered that Apache Tika incorrectly handled XML external entities when parsing XFA content in PDF files. An attacker could possibl...

USN-8324-1: Apache Tika vulnerabilities

It was discovered that Apache Tika incorrectly handled XML external entities when parsing XFA content in PDF files. An attacker could possibly use this issue to obtain sensitive information or send malicious requests to internal resources or third-party servers...

USN-8324-1 tika vulnerabilities

It was discovered that Apache Tika incorrectly handled XML external entities when parsing XFA content in PDF files. An attacker could possibly use this issue to obtain sensitive information or send malicious requests to internal resources or third-party servers...

Security Bulletin: IBM SPSS Modeler is affected by multiple vulnerabilities in Apache Tika Core and Parsers (CVE-2025-54988, CVE-2025-66516, CVE-2025-66516)

Summary IBM SPSS Modeler is affected by multiple vulnerabilities in Apache Tika Core and Parsers CVE-2025-54988, CVE-2025-66516, CVE-2025-66516. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-54988 DESCRIPTION: Critical XXE in Apache Tika...

GHSA-3PXV-7CMR-FJR4 vulnerabilities

Vulnerabilities for packages: apache-camel-karavan-devmode, apache-pulsar-fips, kafka-bridge, logstash, spark, apache-activemq-artemis, kserve-modelmesh, opensearch-fips, pinot, elasticsearch, strimzi-kafka-operator, spark-kubernetes-operator, zipkin, ghidra, geoserver, apache-jena-fuseki,...

CVE-2026-34480 vulnerabilities

Vulnerabilities for packages: apache-camel-karavan-devmode, apache-pulsar-fips, kafka-bridge, logstash, spark, apache-activemq-artemis, kserve-modelmesh, opensearch-fips, pinot, elasticsearch, strimzi-kafka-operator, spark-kubernetes-operator, zipkin, ghidra, geoserver, apache-jena-fuseki,...

Security Bulletin: Due to use of Apache Tika, IBM Operations Analytics - Log Analysis is affected by XML External Entity (XXE) vulnerability

Summary Apache Tika in Apache Solr is used by IBM Operations Analytics - Log Analysis as part of the extraction of text and metadata from uploaded documents so they can be indexed and searched through Solr's ExtractingRequestHandler. CVE-2025-54988, CVE-2025-66516 Vulnerability Details...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Tika

Summary Multiple vulnerabilities in Apache Tika that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2025-54988 DESCRIPTION: Critical XXE in Apache Tika tika-parser-pdf-module in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an...

Security Bulletin: Critical vulnerability addressed in Cloudera Base on premises 7.1.9 SP1 CHF 14 and Cloudera Runtime 7.3.1.700 SP3 CHF 2

Summary CVE-2025-66516 - Apache Tika addressed in Cloudera Base on premises 7.1.9 SP1 CHF 14 and Cloudera Runtime 7.3.1.700 SP3 CHF 2 Vulnerability Details CVEID:CVE-2025-66516 DESCRIPTION: Critical XXE in Apache Tika tika-core 1.13-3.2.1, tika-pdf-module 2.0.0-3.2.1 and tika-parsers 1.13-1.28.5...

Security Bulletin: IBM SPSS Analytic Server is affected by Critical XXE vulnerability in Apache Tika (CVE-2025-66516)

Summary IBM SPSS Analytic Server is affected by Critical XXE vulnerability in Apache Tika CVE-2025-66516. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-66516 DESCRIPTION: Critical XXE in Apache Tika tika-core 1.13-3.2.1, tika-pdf-module 2.0.0-3.2.1 and...

Security Bulletin: Due to the use of Apache Tika, IBM webMethods Integration Server is vulnerable to XML External Entity injection (CVE-2025-66516)

Summary IBM webMethods Integration Server uses Apache Tika for Reference Data functionality and vulnerability reported in Apache Tika is addressed. Vulnerability Details CVEID:CVE-2025-66516 DESCRIPTION: Critical XXE in Apache Tika tika-core 1.13-3.2.1, tika-pdf-module 2.0.0-3.2.1 and tika-parser...

Atlassian Confluence 7.7.x < 8.5.31 / 8.6.x < 9.2.13 / 9.3.1 < 10.2.2 (CONFSERVER-101878)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101878 advisory. - Critical XXE in Apache Tika tika-parser-pdf-module in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry o...

Atlassian Confluence 7.19 < 8.5.31 / 8.6.x < 9.2.13 / 9.3.x < 10.2.2 (CONFSERVER-101872)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101872 advisory. - Critical XXE in Apache Tika tika-core 1.13-3.2.1, tika-pdf-module 2.0.0-3.2.1 and tika-parsers 1.13-1.28.5 modules on all platforms allows an...

Security Bulletin: IBM SPSS Analytic Server is affected by XML External Entity injection vulnerability in Apache Tika (CVE-2025-54988)

Summary IBM SPSS Analytic Server is affected by XML External Entity injection vulnerability in Apache Tika CVE-2025-54988. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-54988 DESCRIPTION: Critical XXE in Apache Tika tika-parser-pdf-module in Apache Tika...

Oracle Primavera Unifier (January 2026 CPU)

The versions of Primavera Unifier installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory. - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering component: Integration Apache Tika. Supported versions th...

Vulnerabilities fixed in Oracle Commerce

Oracle has fixed vulnerabilities in several products, including Oracle WebLogic Server and Oracle Commerce products The vulnerabilities allow unauthenticated attackers to cause partial denial-of-service over HTTP. This can lead to system downtime and service disruption. In addition, there is a...

K000159609: Apache Tika vulnerability CVE-2025-66516

Security Advisory Description Critical XXE in Apache Tika tika-core 1.13-3.2.1, tika-pdf-module 2.0.0-3.2.1 and tika-parsers 1.13-1.28.5 modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same...

Adobe ColdFusion < 2023.x < 2023u18 / 2025.x < 2025u6 RCE (APSB26-12)

The version of Adobe ColdFusion installed on the remote Windows host is prior to 2023.x update 18 or 2025.x update 6. It is, therefore, affected by a vulnerability in the bundled Apache Tika dependency that could lead to arbitrary code execution. Note that Nessus has not tested for this issue but...