CVE superset
The maintainers have now realized that the XXE injection flaw will not be restricted to this module. It impacts further Tika parts, particularly Apache Tika tika-core, variations 1.13 to three.2.1, and tika-parsers variations 1.13 to 1.28.5. As well as, legacy Tika parsers variations 1.13 to 1.28.5 are additionally affected.
Unusually – and confusingly – this implies there at the moment are two CVEs for a similar problem, with the second, CVE-2025-66516, a superset of the primary. Presumably, the reasoning behind issuing a second CVE is that it attracts consideration to the truth that individuals who patched CVE-2025-54988 are nonetheless in danger due to the extra weak parts listed in CVE-2025-66516.
Up to now, there’s no proof that the XXE injection weak point in these CVEs is being exploited by attackers within the wild. Nevertheless, the chance is that it will shortly change ought to the vulnerability be reverse engineered or proofs-of-concept seem.
