The Register
Infosec in Brief The Apache Foundation last week warned of a 10.0-rated flaw in its Tika toolkit.
Tika detects and extracts metadata from over 1,000 different file formats. Last August, Apache reported CVE-2025-54988 , an 8.4 rated flaw that it warned allows an attacker to carry out XML External Entity injection via a crafted XFA file inside a PDF.
Apache fixed that flaw but last Friday announced a related, and worse, problem known as CVE-2025-66516 .
As Apache explained, the entry point for CVE-2025-54988 was Tika’s tika-parser-pdf-module , but the vulnerability and its fix were in another piece of code called tika-core . “Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable,” the organization advised.
The org’s new advisory
Tech Times
Vogue
Foreign Policy
Wheeling Intelligencer Sports
MPR News Politics
The Daily Beast
The Conversation
The Daily Mash