Please stop. 2.9.4 was our last 2.x release. As we've told you, that hit end of life - including security updates - a full year ago.
On Wed, Apr 8, 2026 at 12:32 AM Saravanan Balakrishnan < [email protected]> wrote: > Hi Tika Team, > Please provide our input on CVE CVE-2026-35554 which is "Apache Kafka > Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool > Race Condition" > > On my analysis inTika2.9.5 jar file: > > $ grep "kafka-clients" * -i -R > META-INF/maven/org.apache.logging.log4j/log4j-core/pom.xml: > kafka.clients;substitute="kafka-clients";transitive=false;static=true, > META-INF/maven/org.apache.logging.log4j/log4j-core/pom.xml: > <artifactId>kafka-clients</artifactId> > > I could see only used in log4j core usage, and I don't see the version of > kafka-clients been build or incorporated in META-INF files or in any pom > files. Kindly provide your input on this vulnerability affects the Tika > 2.9.5 stream. > > Thanks in advance. > > Regards, > Saravanan B >
