Apache POI Vulnerability CVE-2022-26336 

Issue date: 29-06-2022
Affects versions: 15.0, 14.7, 13.4

Security Issue ID



Affected Product Version(s)

15.0.0, 14.7.6, 13.4.17, and all previous versions





A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.

This is unlikely to affect brXM, since the necessary payload file types are not part of the set that is configured by default as acceptable for uploads by content editors. However, this file type set is configurable by customers, so there is some risk if such a customization has been done within a project. The risk is mitigated by the fact that file uploads are typically allowed only by trusted content editors.


Update to the latest version.