Apache warns of 10.0-rated flaw in Tika metadata toolkit

Apache warns of 10.0-rated flaw in Tika metadata toolkit

Infosec in Brief: PLUS: New kind of DDOS from the Americas; Predator still hunting spyware targets; NIST issues IoT advice; And more!

500+ Apache Tika Toolkit Instances Vulnerable To Critical XXE Attack Exposed Online - Cybernoz - Cybersecurity News

Over 565 internet-exposed Apache Tika Server instances are vulnerable to a critical XML External Entity (XXE) injection flaw. That could enable attackers to steal sensitive data, launch denial-of-service attacks, or conduct server-side request forgery operations. The vulnerability, tracked as CVE-2025-66516, affects tika-core versions 1.13.0 through 3.2.1 and carries a maximum CVSS severity score of 10.0. Apache disclosed the flaw on December 4,…

Apache Tika hit by critical vulnerability thought to be patched months ago

A security flaw in the widely-used Apache Tika XML document extraction utility, originally made public last summer, is wider in scope and more serious than first thought, the project’s maintainers have warned. Their new alert relates to two entwined flaws, the first CVE-2025-54988 from August, rated 8.4 in severity, and the second, CVE-2025-66516 made public last week, rated 10. CVE-2025-54988 is a weakness in the tika-parser-pdf-module used to …

Apache warns of critical vulnerability in Tika toolkit

Apache reports a security flaw in Apache Tika, an open source tool for analyzing and extracting metadata from files.