CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-66516

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 8.4%

CVSS Severity

CVSS v3 Score 9.8

References

Products affected by CVE-2025-66516

Apache » Tika » Version: 1.13

cpe:2.3:a:apache:tika:1.13
Apache » Tika » Version: 1.14

cpe:2.3:a:apache:tika:1.14
Apache » Tika » Version: 1.15

cpe:2.3:a:apache:tika:1.15
Apache » Tika » Version: 1.16

cpe:2.3:a:apache:tika:1.16
Apache » Tika » Version: 1.17

cpe:2.3:a:apache:tika:1.17
Apache » Tika » Version: 1.18

cpe:2.3:a:apache:tika:1.18
Apache » Tika » Version: 1.19

cpe:2.3:a:apache:tika:1.19
Apache » Tika » Version: 1.19.1

cpe:2.3:a:apache:tika:1.19.1
Apache » Tika » Version: 1.20

cpe:2.3:a:apache:tika:1.20
Apache » Tika » Version: 1.21

cpe:2.3:a:apache:tika:1.21
Apache » Tika » Version: 1.22

cpe:2.3:a:apache:tika:1.22
Apache » Tika » Version: 1.23

cpe:2.3:a:apache:tika:1.23
Apache » Tika » Version: 1.24

cpe:2.3:a:apache:tika:1.24
Apache » Tika » Version: 1.24.1

cpe:2.3:a:apache:tika:1.24.1
Apache » Tika » Version: 1.25

cpe:2.3:a:apache:tika:1.25
Apache » Tika » Version: 1.26

cpe:2.3:a:apache:tika:1.26
Apache » Tika » Version: 1.27

cpe:2.3:a:apache:tika:1.27
Apache » Tika » Version: 1.28

cpe:2.3:a:apache:tika:1.28
Apache » Tika » Version: 1.28.1

cpe:2.3:a:apache:tika:1.28.1
Apache » Tika » Version: 1.28.2

cpe:2.3:a:apache:tika:1.28.2
Apache » Tika » Version: 1.28.3

cpe:2.3:a:apache:tika:1.28.3
Apache » Tika » Version: 1.28.4

cpe:2.3:a:apache:tika:1.28.4
Apache » Tika » Version: 1.28.5

cpe:2.3:a:apache:tika:1.28.5
Apache » Tika » Version: 2.0.0

cpe:2.3:a:apache:tika:2.0.0
Apache » Tika » Version: 2.1.0

cpe:2.3:a:apache:tika:2.1.0
Apache » Tika » Version: 2.2.0

cpe:2.3:a:apache:tika:2.2.0
Apache » Tika » Version: 2.2.1

cpe:2.3:a:apache:tika:2.2.1
Apache » Tika » Version: 2.3.0

cpe:2.3:a:apache:tika:2.3.0
Apache » Tika » Version: 2.4.0

cpe:2.3:a:apache:tika:2.4.0
Apache » Tika » Version: 2.4.1

cpe:2.3:a:apache:tika:2.4.1
Apache » Tika » Version: 2.5.0

cpe:2.3:a:apache:tika:2.5.0
Apache » Tika » Version: 2.6.0

cpe:2.3:a:apache:tika:2.6.0
Apache » Tika » Version: 2.7.0

cpe:2.3:a:apache:tika:2.7.0
Apache » Tika » Version: 2.8.0

cpe:2.3:a:apache:tika:2.8.0
Apache » Tika » Version: 2.9.0

cpe:2.3:a:apache:tika:2.9.0
Apache » Tika » Version: 2.9.1

cpe:2.3:a:apache:tika:2.9.1
Apache » Tika » Version: 2.9.2

cpe:2.3:a:apache:tika:2.9.2
Apache » Tika » Version: 2.9.3

cpe:2.3:a:apache:tika:2.9.3
Apache » Tika » Version: 2.9.4

cpe:2.3:a:apache:tika:2.9.4
Apache » Tika » Version: 3.0.0

cpe:2.3:a:apache:tika:3.0.0
Apache » Tika » Version: 3.1.0

cpe:2.3:a:apache:tika:3.1.0
Apache » Tika » Version: 3.2.0

cpe:2.3:a:apache:tika:3.2.0
Apache » Tika » Version: 3.2.1

cpe:2.3:a:apache:tika:3.2.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-66516

Products

Pricing

Contact Us