org.apache.tika:tika-core
Maven13 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.tika:tika-corepage 1 of 1
- CVE-2016-4434HIGHCVSS 7.8EG 7.8✓ Fixed in 1.132017-09-30
vulnerable: 0.10 ... 1.9 (20 versions)
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metad…
- CVE-2016-6809CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.142017-04-06
vulnerable: 0.10 ... 1.9 (21 versions)
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
- CVE-2018-11761HIGHCVSS 7.5EG 7.5✓ Fixed in 1.19.12018-09-19
vulnerable: 0.10 ... 1.9 (27 versions)
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
- CVE-2018-11762MEDIUMCVSS 5.9EG 5.9✓ Fixed in 1.192018-09-19
vulnerable: 0.10 ... 1.9 (21 versions)
In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would ove…
- CVE-2018-11796HIGHCVSS 7.5EG 7.5✓ Fixed in 1.19.12018-10-09
vulnerable: 0.10 ... 1.9 (27 versions)
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified …
- CVE-2018-1335HIGHCVSS 8.1EG 9.0✓ Fixed in 1.182018-04-25
vulnerable: 1.10 ... 1.9 (11 versions)
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running…
- CVE-2018-1338MEDIUMCVSS 5.5EG 5.5✓ Fixed in 1.182018-04-25
vulnerable: 0.10 ... 1.9 (25 versions)
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.
- CVE-2018-8017MEDIUMCVSS 5.5EG 5.5✓ Fixed in 1.192018-09-19
vulnerable: 1.10 ... 1.9 (17 versions)
In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser.
- CVE-2019-10088HIGHCVSS 8.8EG 8.8✓ Fixed in 1.222019-08-02
vulnerable: 1.10 ... 1.9 (16 versions)
A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.
- CVE-2019-10094HIGHCVSS 7.8EG 7.8✓ Fixed in 1.222019-08-02
vulnerable: 1.10 ... 1.9 (16 versions)
A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22…
- CVE-2022-30126MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.4.02022-05-16
vulnerable: 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running th…
- CVE-2022-30973MEDIUMCVSS 5.5EG 5.5✓ Fixed in 1.28.32022-05-31
vulnerable: 1.17 ... 1.28.2 (16 versions)
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused …
- CVE-2025-66516HIGHCVSS 8.4EG 8.4✓ Fixed in 3.2.22025-12-04
vulnerable: 1.13 ... 3.2.1 (47 versions)
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.…
Check whether org.apache.tika:tika-core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.tika:tika-core CVEs against the assets you own.
Start Free Scan →