10 matches found
CVE-2025-31672
CVE-2025-31672 is an Improper Input Validation issue in Apache POI’s OOXML parsing. The root cause is acceptance of duplicate zip entry names (including paths) within OOXML files (xlsx/docx/pptx), which can cause reads of different data depending on which duplicate entry is chosen. Affects poi-oo...
CVE-2019-12415
CVE-2019-12415 affects Apache POI up to version 4.1.0. The vulnerability arises when using the tool XSSFExportToXml to convert user-supplied Excel documents, allowing an attacker to read local filesystem or internal network resources via XML External Entity (XXE) processing. The Connected documen...
CVE-2017-12626
CVE-2017-12626 affects Apache POI prior to 3.17. The vulnerability arises from parsing crafted WMF/EMF/MSG and macros (leading to denial of service via infinite loop) and crafted DOC/PPT/XLS (leading to out-of-memory errors). Multiple connected advisories reference this CVE and describe it as a D...
CVE-2022-26336
CVE-2022-26336 affects the poi-scratchpad HMEF package in Apache POI used to read TNEF files. The issue can trigger an Out of Memory exception when parsing untrusted TNEF inputs, impacting poi-scratchpad versions up to 5.2.0. The publicly recommended remediation is to upgrade to poi-scratchpad 5....
CVE-2017-5644
CVE-2017-5644 affects Apache POI: versions prior to 3.15 are vulnerable to an XML Entity Expansion (XEE) denial of service via a specially crafted OOXML file, causing high CPU usage. Documented impact is a CPU consumption DoS rather than code execution. Public references in the connected material...
CVE-2012-0213
The CVE-2012-0213 vulnerability resides in Apache POI 3.8 and earlier, specifically UnhandledDataStructure.java, where crafted CDF/CFBF data can cause a denial of service (OutOfMemoryError). IBM and vendor advisories consistently tie this CVE to Apache POI loaded in IBM QRadar SIEM and related IB...
CVE-2014-3529
The CVE-2014-3529 issue is an XXE in Apache POI’s OOXML processing (OPC SAX setup) prior to 3.10.1, enabling a remote attacker to read arbitrary files via an OpenXML file containing an external entity declaration. IBM and vulnerability bulletins note that upgrading poi-ooxml to 4.0.x (and general...
CVE-2014-9527
CVE-2014-9527 is a denial-of-service in Apache POI’s HSLFSlideShow when processing crafted PPTs. Affected component: HSLFSlideShow in POI prior to 3.11. Impact: application may enter an infinite loop and deadlock. Root cause: vulnerable PPT parsing path in POI. Mitigation: upgrade to POI 3.11 or ...
CVE-2014-3574
Apache POI is affected by CVE-2014-3574. Affected versions: POI before 3.10.1 and 3.11.x before 3.11-beta2. Root cause: XML Entity Expansion (XEE) in OOXML processing. Impact: remote attacker can cause a denial of service via crafted OOXML files (CPU consumption and crash). Remediation: upgrade t...
CVE-2016-5000
The CVE-2016-5000 entry concerns the XLSX2CSV example in Apache POI. The root cause is an XML External Entity (XXE) vulnerability introduced when parsing OpenXML in the XLSX2CSV path, allowing a crafted document to cause an external-entity reference to read arbitrary files. Affected products/vers...