According to its self-reported version number, the Atlassian Jira application running on the remote host is 10.3.x prior to 10.3.13 or 11.x prior to 11.2.0. It is, therefore, affected by a XML External Entity Injection (XXE) vulnerability.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on     all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside     of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal     resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several     Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app,     tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this     issue. (CVE-2025-54988)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Oracle Business Process Management Suite installed on the remote host is affected by a vulnerability, as referenced in the January 2026 CPU advisory:

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Composer (Apache Commons Lang)). The supported version that is affected is 14.1.2.0.0.     Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can     result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business     Process Management Suite. (CVE-2025-48924)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Composer (Apache Commons FileUpload)). Supported versions that are affected are 12.2.1.4.0     and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can     result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle      Business Process Management Suite. (CVE-2025-48976)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Oracle Business Rules (Apache Commons Compress)). The supported version that is affected is     14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can     result in takeover of Oracle Business Process Management Suite. (CVE-2025-54988)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Runtime Engine (Apache Tika)). Supported versions that are affected are 12.2.1.4.0 and     14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Oracle Business Process Management Suite. While the vulnerability is in Oracle     Business Process Management Suite, attacks may significantly impact additional products (scope change).     Successful attacks of this vulnerability can result in takeover of Oracle Business Process Management     Suite. (CVE-2025-66516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101878 advisory.

  - Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on     all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside     of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal     resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several     Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app,     tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this     issue. (CVE-2025-54988)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Atlassian Jira Service Management Data Center and Server (Jira Service Desk) running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16478 advisory.

  - Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on     all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside     of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal     resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several     Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app,     tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this     issue. (CVE-2025-54988)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-4350 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4350-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Paride Legovini     October 26, 2025                              https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : tika     Version        : 1.22-2+deb11u1     CVE ID         : CVE-2025-54988

    A vulnerability has been fixed in the tika package, which distributes the     Apache Tika content analysis toolkit. The vulnerability affects the     tika-parser-pdf-module component and allows an attacker to carry out XML     External Entity injection via a crafted XFA file inside of a PDF. An attacker     may be able to read sensitive data or trigger malicious requests to internal     resources or third-party servers.

    For Debian 11 bullseye, this problem has been fixed in version     1.22-2+deb11u1.

    We recommend that you upgrade your tika packages.

    For the detailed security status of tika please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tika

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
115080	Atlassian Jira 10.3.x < 10.3.13 XML External Entity Injection	Web App Scanning	Component Vulnerability	12/17/2025	12/17/2025	critical
115081	Atlassian Jira 11.x < 11.2.0 XML External Entity Injection	Web App Scanning	Component Vulnerability	12/17/2025	12/17/2025	critical
260140	Linux Distros Unpatched Vulnerability : CVE-2025-54988	Nessus	Misc.	9/1/2025	4/29/2026	critical
294978	Oracle Business Process Management Suite (14.1.2.0.0) (January 2026 CPU)	Nessus	Misc.	1/22/2026	4/30/2026	critical
298175	Atlassian Confluence 7.7.x < 8.5.31 / 8.6.x < 9.2.13 / 9.3.1 < 10.2.2 (CONFSERVER-101878)	Nessus	CGI abuses	2/6/2026	2/6/2026	critical
282636	Atlassian Jira Service Management Data Center and Server 10.3.0 < 10.3.13 / 11.0.x < 11.2.0 (JSDSERVER-16478)	Nessus	Misc.	1/13/2026	1/13/2026	critical
271505	Debian dla-4350 : libtika-java - security update	Nessus	Debian Local Security Checks	10/26/2025	10/26/2025	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical