VulnerableCode Package Details - pkg:maven/org.apache.tika/tika-parser-pdf-module@3.2.2

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-hyu9-rzgz-1yhw	Apache Tika has XXE vulnerability Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.	CVE-2025-66516 GHSA-f58c-gq56-vjjf
VCID-seg6-emwn-37ee		CVE-2025-54988 GHSA-p72g-pv48-7w9x

Vulnerability

Summary

Aliases

VCID-hyu9-rzgz-1yhw

Apache Tika has XXE vulnerability Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

CVE-2025-66516
GHSA-f58c-gq56-vjjf

VCID-seg6-emwn-37ee

CVE-2025-54988
GHSA-p72g-pv48-7w9x

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T19:22:01.998034+00:00	GitLab Importer	Fixing	VCID-seg6-emwn-37ee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tika/tika-parser-pdf-module/CVE-2025-54988.yml	38.6.0
2026-05-31T11:01:30.695666+00:00	GithubOSV Importer	Fixing	VCID-seg6-emwn-37ee	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-p72g-pv48-7w9x/GHSA-p72g-pv48-7w9x.json	38.6.0
2026-05-31T11:00:27.972216+00:00	GithubOSV Importer	Fixing	VCID-hyu9-rzgz-1yhw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-f58c-gq56-vjjf/GHSA-f58c-gq56-vjjf.json	38.6.0
2026-05-31T01:06:08.449566+00:00	GHSA Importer	Fixing	VCID-hyu9-rzgz-1yhw	https://github.com/advisories/GHSA-f58c-gq56-vjjf	38.6.0
2026-05-30T21:05:25.269681+00:00	GitLab Importer	Fixing	VCID-hyu9-rzgz-1yhw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tika/tika-parser-pdf-module/CVE-2025-66516.yml	38.6.0