Atlassian security patch release for CVE-2025-66516
Security Patch Release
Summary
Hide ▲
Show ▼
Atlassian released December 2025 patches for roughly 30 third-party vulnerabilities, reducing exposure across Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management. The bundle includes critical-severity flaws, led by CVE-2025-66516 in Apache Tika. That issue is a CVSS 10.0 XXE injection bug that can be triggered through crafted XFA files inside PDF files and may lead to information leaks, DoS, SSRF, or RCE. Atlassian advised users to apply the patches as soon as possible.
Related Happenings
AWS Amazon Q Developer patch for CVE-2026-12957 and CVE-2026-12958
Security Patch Release
H score18
First: 26.06.2026 18:23
Last: 26.06.2026 18:23
Sources 1
About this happening:
**AWS** released fixes for **Amazon Q Developer** after a high-severity flaw in the **VS Code extension** could expose developers’ **cloud credentials**. The patch set covers **CV...
AWS Amazon Q Developer patch for CVE-2026-12957 and CVE-2026-12958
Security Patch ReleaseAbout this happening: **AWS** released fixes for **Amazon Q Developer** after a high-severity flaw in the **VS Code extension** could expose developers’ **cloud credentials**. The patch set covers **CV...
Squid web proxy patch for CVE-2026-47729
Security Patch Release
H score20
First: 22.06.2026 17:29
Last: 22.06.2026 17:29
Sources 1
About this happening:
**Squid maintainers** merged a **null-terminator check** for **CVE-2026-47729** into the **development branch** and **v7**, closing the FTP-parser over-read that could expose shar...
Squid web proxy patch for CVE-2026-47729
Security Patch ReleaseAbout this happening: **Squid maintainers** merged a **null-terminator check** for **CVE-2026-47729** into the **development branch** and **v7**, closing the FTP-parser over-read that could expose shar...
F5 security patch release for CVE-2026-42530
Security Patch Release
H score39
First: 18.06.2026 20:32
Last: 18.06.2026 20:32
Sources 1
About this happening:
**F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
F5 security patch release for CVE-2026-42530
Security Patch ReleaseAbout this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
Langflow security patch release for CVE-2026-5027
Security Patch Release
H score38
First: 11.06.2026 00:23
Last: 11.06.2026 00:23
Sources 1
About this happening:
**Langflow** shipped fixes for **CVE-2026-5027**, closing a **path traversal** flaw that let attackers write arbitrary files on exposed servers. The patch landed in **langflow-bas...
Langflow security patch release for CVE-2026-5027
Security Patch ReleaseAbout this happening: **Langflow** shipped fixes for **CVE-2026-5027**, closing a **path traversal** flaw that let attackers write arbitrary files on exposed servers. The patch landed in **langflow-bas...
Fortinet security patch release for CVE-2026-25089
Security Patch Release
H score44
First: 10.06.2026 18:10
Last: 10.06.2026 18:10
Sources 1
About this happening:
**Fortinet**, **Ivanti**, and **SAP** released **security updates** that address multiple **critical vulnerabilities** across **FortiSandbox**, **Ivanti Sentry**, and **SAP** prod...
Fortinet security patch release for CVE-2026-25089
Security Patch ReleaseAbout this happening: **Fortinet**, **Ivanti**, and **SAP** released **security updates** that address multiple **critical vulnerabilities** across **FortiSandbox**, **Ivanti Sentry**, and **SAP** prod...
Latest development: 11.06.2026 09:20
Shadowserver reported large-scale exploitation attempts against Internet-exposed Ivanti Sentry gateways after CVE-2026-10520 was patched in R10.5.2, R10.6.2, and R10.7.1, saying it saw 19 vulnerable instances and at least 2 backdoored systems and warning that unpatched devices were most likely compromised.
Timeline
-
15.12.2025 13:00 2 articles · 6mo ago
Atlassian releases December 2025 patches for third-party vulnerabilities
Mitigation Patch UpdateAtlassian released fixes for roughly 30 third-party vulnerabilities across Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management, including CVE-2025-66516, a CVSS 10/10 XML External Entity (XXE) injection bug in Apache Tika affecting tika-core, tika-pdf-module, and tika-parsers. The release also addressed CVE-2022-37601 in webpack loader-utils and CVE-2021-39227 in ZRender, with Atlassian advising users to apply the patches as soon as possible.
Show sources
- Atlassian Patches Critical Apache Tika Flaw — www.securityweek.com — 15.12.2025 13:00
- Atlassian Patches Critical Apache Tika Flaw — www.securityweek.com — 15.12.2025 13:00