From 42393ef6d6a3d631aa84e185b84c1fb3a2da8e01 Mon Sep 17 00:00:00 2001
From: labkey-tchad <tchad@labkey.com>
Date: Mon, 16 Mar 2026 13:55:27 -0700
Subject: [PATCH 1/2] Update PDFBox dependency to 3.0.7

https://nvd.nist.gov/vuln/detail/CVE-2026-23907
---
 gradle.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle.properties b/gradle.properties
index 7bfdb42bbe..d4b9623034 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -257,7 +257,7 @@ opencsvVersion=2.3
 openTracingVersion=0.33.0
 
 # sync with version Tika ships
-pdfboxVersion=3.0.4
+pdfboxVersion=3.0.7
 
 # sync with version Tika ships
 poiVersion=5.4.0

From 0115d473c897f8d6626a3b8a210d34797627bfce Mon Sep 17 00:00:00 2001
From: labkey-tchad <tchad@labkey.com>
Date: Mon, 16 Mar 2026 14:25:40 -0700
Subject: [PATCH 2/2] Suppress PDFBox CVE

https://nvd.nist.gov/vuln/detail/CVE-2026-23907
---
 dependencyCheckSuppression.xml | 33 +++++++++++++++++++++++++++++++++
 gradle.properties              |  2 +-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index b181166d9d..27621b7705 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -194,4 +194,37 @@
        <packageUrl regex="true">^pkg:maven/org\.mozilla/rhino@.*$</packageUrl>
        <vulnerabilityName>CVE-2025-66453</vulnerabilityName>
     </suppress>
+
+    <!--
+    Some PDFBox example code (ExtractEmbeddedFiles) contains a path traversal vulnerability. The example code isn't
+    packaged in any jars and we already have checks in place to prevent path traversal vulnerabilities.
+    -->
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-debugger-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-debugger@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-io-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-io@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-tools-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
index d4b9623034..7bfdb42bbe 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -257,7 +257,7 @@ opencsvVersion=2.3
 openTracingVersion=0.33.0
 
 # sync with version Tika ships
-pdfboxVersion=3.0.7
+pdfboxVersion=3.0.4
 
 # sync with version Tika ships
 poiVersion=5.4.0