From ef0ef207bea51c5484658d4816711188b3fe0a69 Mon Sep 17 00:00:00 2001
From: labkey-susanh <susanh@labkey.com>
Date: Wed, 22 Apr 2026 07:49:54 -0700
Subject: [PATCH 1/2] Suppress CVE for PDFbox that does not affect us

---
 dependencyCheckSuppression.xml | 25 +++++++++++++------------
 gradle.properties              |  2 +-
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index d610e97a2b..6e0de95a90 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -229,31 +229,31 @@
     -->
     <suppress>
         <notes><![CDATA[
-       file name: pdfbox-3.0.4.jar
-       ]]></notes>
+    file name: pdfbox-3.0.7.jar
+    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox@.*$</packageUrl>
-        <cve>CVE-2026-23907</cve>
+        <cve>CVE-2026-33929</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: pdfbox-debugger-3.0.4.jar
-       ]]></notes>
+    file name: pdfbox-debugger-3.0.7.jar
+    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-debugger@.*$</packageUrl>
-        <cve>CVE-2026-23907</cve>
+        <cve>CVE-2026-33929</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: pdfbox-io-3.0.4.jar
-       ]]></notes>
+    file name: pdfbox-io-3.0.7.jar
+    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-io@.*$</packageUrl>
-        <cve>CVE-2026-23907</cve>
+        <cve>CVE-2026-33929</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-       file name: pdfbox-tools-3.0.4.jar
-       ]]></notes>
+    file name: pdfbox-tools-3.0.7.jar
+    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
-        <cve>CVE-2026-23907</cve>
+        <cve>CVE-2026-33929</cve>
     </suppress>
 
     <!--
@@ -275,4 +275,5 @@
         <packageUrl regex="true">^pkg:maven/org\.springframework\.ai/mcp-spring-webmvc@.*$</packageUrl>
         <cpe>cpe:/a:vmware:vmware_server</cpe>
     </suppress>
+
 </suppressions>
diff --git a/gradle.properties b/gradle.properties
index fbc8e3d822..4c59a7fa57 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -264,7 +264,7 @@ opencsvVersion=2.3
 openTracingVersion=0.33.0
 
 # sync with version Tika ships
-pdfboxVersion=3.0.4
+pdfboxVersion=3.0.7
 
 # sync with version Tika ships
 poiVersion=5.4.0

From 3de0fc95657905f569cde67557fce09af709a69c Mon Sep 17 00:00:00 2001
From: labkey-susanh <susanh@labkey.com>
Date: Wed, 22 Apr 2026 13:57:03 -0700
Subject: [PATCH 2/2] Suppress CVE for PDFbox that does not affect us

---
 dependencyCheckSuppression.xml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 6e0de95a90..7a3b3b8e8c 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -229,6 +229,34 @@
     -->
     <suppress>
         <notes><![CDATA[
+   file name: pdfbox-3.0.7.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: pdfbox-debugger-3.0.7.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-debugger@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: pdfbox-io-3.0.7.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-io@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: pdfbox-tools-3.0.7.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
     file name: pdfbox-3.0.7.jar
     ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox@.*$</packageUrl>