Apache Tika critical XXE flaw (CVE-2025-66516)
Vulnerability
Summary
Hide ▲
Show ▼
Apache Tika has a disclosed critical XXE vulnerability in CVE-2025-66516 that can let an attacker use a crafted XFA file inside a PDF to trigger XML External Entity injection across affected parsing modules. The flaw carries CVSS 10.0, so exposed deployments face maximum-severity risk. Impacted components include tika-core, tika-pdf-module, and tika-parsers, with fixed releases available for the affected package ranges. Administrators are being urged to patch immediately because XXE can expose local files and, in some cases, enable remote code execution.
Related Happenings
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/Mitigation
First: 21.04.2026 14:17
Last: 21.04.2026 14:17
Sources 1
About this happening:
**CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/MitigationAbout this happening: **CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector Action
First: 17.03.2026 07:23
Last: 17.03.2026 07:23
Sources 1
About this happening:
CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector ActionAbout this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
CISA adds CVE-2025-61932 to KEV and sets FCEB remediation deadline
Public Sector Action
First: 23.10.2025 08:37
Last: 23.10.2025 08:37
Sources 1
About this happening:
**CISA** added **CVE-2025-61932** affecting **Motex Lanscope Endpoint Manager** to the **KEV catalog** after confirming it was **actively exploited in the wild**. The action matte...
CISA adds CVE-2025-61932 to KEV and sets FCEB remediation deadline
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-61932** affecting **Motex Lanscope Endpoint Manager** to the **KEV catalog** after confirming it was **actively exploited in the wild**. The action matte...
Timeline
-
15.12.2025 13:00 1 articles · 5mo ago
Atlassian patches CVE-2025-66516 across products
Mitigation Patch UpdateAtlassian released software updates for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management to fix roughly 30 third-party vulnerabilities, including CVE-2025-66516 in Apache Tika and additional critical flaws such as CVE-2022-37601 in webpack loader-utils and CVE-2021-39227 in ZRender.
Show sources
- Atlassian Patches Critical Apache Tika Flaw — www.securityweek.com — 15.12.2025 13:00
-
05.12.2025 18:23 2 articles · 5mo ago
Apache Tika discloses CVE-2025-66516 critical XXE flaw
Initial DisclosureApache Tika disclosed CVE-2025-66516, a critical XML External Entity (XXE) vulnerability rated CVSS 10.0. The issue affects tika-core, tika-pdf-module, and tika-parsers on all platforms and can be triggered with a crafted XFA file inside a PDF. Users were urged to patch immediately, with fixed releases identified for the affected package ranges, including tika-core 3.2.2, tika-pdf-module 3.2.2, and tika-parsers 2.0.0.
Show sources
- Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch — thehackernews.com — 05.12.2025 18:23
- Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch — thehackernews.com — 05.12.2025 18:23