Lucene search
K

25 matches found

CVE
CVE
added 2025/12/04 4:17 p.m.404 views

CVE-2025-66516

CVE-2025-66516 is a critical XXE in Apache Tika affecting tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5). The root cause is XML External Entity injection triggered by a crafted XFA file in a PDF, allowing an attacker to access sensitive data or trigger intern...

9.8CVSS8.3AI score0.79807EPSS
Web
CVE
CVE
added 2021/06/16 11:18 a.m.348 views

CVE-2021-33813

CVE-2021-33813 concerns an XXE vulnerability in JDOM’s SAXBuilder up to version 2.0.6, allowing denial-of-service via a crafted HTTP request. Connected advisories confirm the issue affects jdom/jdom2 and list downstream fixes/upgrades in Linux distributions (e.g., Amazon Linux advisories ALAS2-20...

7.5CVSS7AI score0.19442EPSS
CVE
CVE
added 2018/04/25 9:0 p.m.295 views

CVE-2018-1335

CVE-2018-1335 affects Apache Tika with tika-server versions 1.7–1.17, where carefully crafted HTTP headers can trigger command injection on the server if exposed to untrusted clients. The underlying issue is an input handling flaw that allows commands to be passed to the server’s command line. Th...

9.3CVSS7.8AI score0.93972EPSS
In wildWeb
CVE
CVE
added 2022/05/16 5:5 p.m.204 views

CVE-2022-25169

CVE-2022-25169 concerns Apache Tika’s BPG parser, where crafted inputs may cause excessive memory allocation, potentially leading to a denial of service. Public details consistently identify the vulnerable component as the BPG parser within Tika and specify affected versions as before 1.28.2 and ...

5.5CVSS5.7AI score0.02027EPSS
CVE
CVE
added 2022/05/16 5:5 p.m.186 views

CVE-2022-30126

Apache Tika CVE-2022-30126 is a ReDoS via a regex in StandardsText used by the StandardsExtractingContentHandler. The issue can cause denial of service on crafted files and only affects users running the StandardsExtractingContentHandler (a non-standard handler). A fix is available in Tika versio...

5.5CVSS4.5AI score0.02495EPSS
CVE
CVE
added 2021/03/31 7:35 a.m.166 views

CVE-2021-28657

CVE-2021-28657 affects Apache Tika MP3Parser. A carefully crafted or corrupt MP3 file can trigger an infinite loop in MP3Parser in Tika versions up to 1.25, potentially causing a denial of service (crash). Mitigation shown in sources is to upgrade to Tika 1.26 or later. Multiple connected documen...

5.5CVSS5.6AI score0.02752EPSS
CVE
CVE
added 2022/05/31 1:20 p.m.161 views

CVE-2022-30973

Apache Tika's ReDoS vulnerability (CVE-2022-30973) arises from a regex in StandardsText used by StandardsExtractingContentHandler. Affected: 1.x branch, specifically the 1.28.2 release; impact is denial of service via backtracking on crafted files. The issue is limited to users running the Standa...

5.5CVSS4.6AI score0.02495EPSS
CVE
CVE
added 2020/04/27 1:25 p.m.154 views

CVE-2020-9489

CVE-2020-9489 affects Apache Tika components including OneNoteParser, ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser and ImageParser. The issue involves crafted or corrupt files triggering System.exit, out-of-memory errors, or infinite loops. The public advisories recommend upgrading Apache Tik...

5.5CVSS6.2AI score0.0255EPSS
CVE
CVE
added 2020/03/23 1:21 p.m.148 views

CVE-2020-1950

CVE-2020-1950 affects Apache Tika, specifically the PSDParser. The issue arises when processing crafted or corrupt PSD files, which can lead to excessive memory usage and potential denial of service in Tika versions 1.0–1.23. Connected advisories (USN/Ubuntu and related security notes) confirm th...

5.5CVSS5.5AI score0.02559EPSS
CVE
CVE
added 2025/08/20 8:8 p.m.136 views

CVE-2025-54988

This CVE-2025-54988 vulnerability is an XXE in Apache Tika affecting tika-core/tika-pdf-module/tika-parsers, allowing XML External Entity injection via a crafted XFA PDF. The NVD entry covers Apache Tika 1.13–3.2.1 with a fix in 3.2.2; UAs may read sensitive data or trigger internal requests. Sev...

9.8CVSS7.1AI score0.02962EPSS
CVE
CVE
added 2017/04/06 9:0 p.m.127 views

CVE-2016-6809

Apache Tika prior to 1.14 is vulnerable to remote Java code execution via serialized objects embedded in MATLAB files. The root cause is native deserialization invoked through JMatIO, enabling an attacker to inject and execute code during object deserialization. Public references in the connected...

9.8CVSS9.4AI score0.0809EPSS
CVE
CVE
added 2020/03/23 1:26 p.m.126 views

CVE-2020-1951

CVE-2020-1951 affects Apache Tika PSDParser (PSD parsing) in PSDParser versions 1.0–1.23, where a carefully crafted or corrupt PSD file can cause an infinite loop (Denial of Service). The provided connected documents confirm the affected component and root cause (infinite loop in PSDParser) but d...

5.5CVSS5.5AI score0.02723EPSS
CVE
CVE
added 2018/10/09 10:0 p.m.118 views

CVE-2018-11796

Apache Tika 0.1–1.19 is vulnerable to an entity-expansion denial of service. The root cause is that Xerces2-based SAXParsers reset() after each parse, which removes the user-configured SecurityManager and, per documentation, the entity-expansion limits after the first parse. This means versions f...

7.5CVSS7.2AI score0.06883EPSS
CVE
CVE
added 2016/12/15 10:0 p.m.115 views

CVE-2015-3271

Apache Tika server (tika-server) up to v1.9 is vulnerable when used as a web service with untrusted access: a remote attacker can read arbitrary files via the HTTP fileUrl header, causing information disclosure from the server's filesystem. Root cause is the server fetching content from the URL p...

5.3CVSS5.2AI score0.06522EPSS
CVE
CVE
added 2022/06/27 9:40 p.m.113 views

CVE-2022-33879

CVE-2022-33879 is related to Apache Tika's regex handling in the StandardsExtractingContentHandler. The connected Nessus entries confirm a separate, new regular-expression DoS (ReDoS) vulnerability in a different regex within the same component. The initial fixes for CVE-2022-30126 and CVE-2022-3...

3.3CVSS4.9AI score0.01892EPSS
CVE
CVE
added 2017/09/29 8:0 p.m.109 views

CVE-2016-4434

CVE-2016-4434 (Apache Tika) affects Tika prior to 1.13, where improper initialization of the XML parser/handlers enables XML External Entity (XXE) attacks via OOXML spreadsheets and XMP metadata in PDFs and other formats. The root cause is an XXE vulnerability in XML parsing that can lead to read...

7.8CVSS7.5AI score0.03449EPSS
CVE
CVE
added 2018/12/24 2:0 p.m.108 views

CVE-2018-17197

CVE-2018-17197 affects Apache Tika’s SQLite3Parser, where a carefully crafted or corrupt sqlite file can trigger an infinite loop in versions 1.8–1.19.1. The vulnerability is a denial of service in Tika’s parser, with potential impact on availability. The Connected documents confirm the affected ...

6.5CVSS6.4AI score0.05934EPSS
CVE
CVE
added 2018/09/19 2:0 p.m.107 views

CVE-2018-11761

Apache Tika is affected by CVE-2018-11761: XML parsers before 1.19.x did not limit entity expansion, enabling potential denial-of-service. Public details indicate vulnerability in Tika 0.1–1.18 (and discussion around 1.19) with remediation to upgrade to 1.19.1 or later. Some sources note that dow...

7.5CVSS7.2AI score0.09635EPSS
CVE
CVE
added 2018/04/25 9:0 p.m.102 views

CVE-2018-1339

CVE-2018-1339 affects Apache Tika's ChmParser; a carefully crafted file can trigger an infinite loop in versions prior to 1.18, causing DoS. Remediation: upgrade to Tika 1.18 or later (as indicated by multiple advisories).

5.5CVSS5.5AI score0.02648EPSS
CVE
CVE
added 2019/08/02 6:53 p.m.102 views

CVE-2019-10088

CVE-2019-10088 affects Apache Tika’s RecursiveParserWrapper (versions 1.7–1.21). A crafted zip file can cause memory exhaustion/OOM. A fix is available: upgrade to Tika 1.22 or later (as noted across IBM QRadar Security bulletin entries).

8.8CVSS8.3AI score0.0484EPSS
CVE
CVE
added 2019/08/02 6:37 p.m.99 views

CVE-2019-10094

Apache Tika CVE-2019-10094: A crafted archive that unpacks to itself (a quine) triggers a StackOverflowError in RecursiveParserWrapper for Tika versions 1.7–1.21. Upgrade to 1.22 or later to fix.

7.8CVSS7.8AI score0.02457EPSS
CVE
CVE
added 2018/04/25 9:0 p.m.98 views

CVE-2018-1338

CVE-2018-1338 : Apache Tika is vulnerable to a denial of service via a carefully crafted (or fuzzed) file that can trigger an infinite loop in the BPGParser in Tika versions before 1.18. The provided documents confirm the affected component (BPGParser in Apache Tika), the vulnerability type (infi...

5.5CVSS5.5AI score0.01984EPSS
CVE
CVE
added 2018/09/19 2:0 p.m.95 views

CVE-2018-8017

Apache Tika 1.2–1.18 is vulnerable to a denial-of-service via the IptcAnpaParser. A crafted file can trigger an infinite loop, potentially causing a hang or crash. Affected component: IptcAnpaParser within Tika; attack may be remote/local depending on deployment. CVE-2018-8017 entry shows a base ...

5.5CVSS5.4AI score0.02509EPSS
CVE
CVE
added 2018/09/19 2:0 p.m.93 views

CVE-2018-11762

CVE-2018-11762 affects Apache Tika 0.9–1.18. In the rare case where no extract directory is specified on the command line and an embedded file has an absolute path (e.g., C:/evil.bat), tika-app could overwrite that file. The issue is a path handling/Zip extraction edge case; impact is potential a...

5.9CVSS5.7AI score0.05449EPSS
CVE
CVE
added 2019/08/02 6:32 p.m.92 views

CVE-2019-10093

CVE-2019-10093 affects Apache Tika 1.19–1.21, where parsing carefully crafted 2003ml/2006ml files can exhaust SAXParsers in the pool and cause very long hangs. Impact described as denial of service with availability risk; recommended fix is upgrade to Tika 1.22 or newer. Connected sources also no...

6.5CVSS6.3AI score0.03699EPSS