Maven package
org.apache.tika/tika-parsers
pkg:maven/org.apache.tika/tika-parsers
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-66516 | — | >= 1.13, < 2.0.0 | 2.0.0 | Dec 4, 2025 | Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability | ||
| CVE-2025-54988 | — | >= 1.13, < 2.0.0-ALPHA | 2.0.0-ALPHA | Aug 20, 2025 | Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger ma | ||
| CVE-2019-10093 | — | >= 1.19, < 1.22 | 1.22 | Aug 2, 2019 | In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later. | ||
| CVE-2018-17197 | — | >= 1.8, < 1.20 | 1.20 | Dec 24, 2018 | A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika. | ||
| CVE-2018-1339 | — | < 1.18 | 1.18 | Apr 25, 2018 | A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18. |
- CVE-2025-66516Dec 4, 2025affected >= 1.13, < 2.0.0fixed 2.0.0
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability
- CVE-2025-54988Aug 20, 2025affected >= 1.13, < 2.0.0-ALPHAfixed 2.0.0-ALPHA
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger ma
- CVE-2019-10093Aug 2, 2019affected >= 1.19, < 1.22fixed 1.22
In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.
- CVE-2018-17197Dec 24, 2018affected >= 1.8, < 1.20fixed 1.20
A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.
- CVE-2018-1339Apr 25, 2018affected < 1.18fixed 1.18
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.