Apache Tika | Breaking Cybersecurity News | The Hacker News

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity ( XXE ) injection attack. The vulnerability, tracked as CVE-2025-66516 , is rated 10.0 on the CVSS scoring scale, indicating maximum severity. "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF," according to an advisory for the vulnerability. It affects the following Maven packages - org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2) org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2) org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0) XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. This, in tur...