Hi Tika Team,
From our scan on Tika 3.2.3 jar file, we have seen vulnerability on one of the jar file used vulnerable version 7.5.5 for junrar.
POM file reference:
tika-parent/pom.xml: <junrar.version>7.5.5</junrar.version>
CVE info:
CVE-2026-28208 : Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix.
Any possible fix in upcoming release, say 4.x. Kindly share more info on this.
Regards,
Saravanan B
