CVE superset
The maintainers have now realized that the XXE injection flaw isn’t restricted to this module. It impacts further Tika elements, specifically Apache Tika tika-core, variations 1.13 to three.2.1, and tika-parsers variations 1.13 to 1.28.5. As well as, legacy Tika parsers variations 1.13 to 1.28.5 are additionally affected.
Unusually – and confusingly – this implies there at the moment are two CVEs for a similar problem, with the second, CVE-2025-66516, a superset of the primary. Presumably, the reasoning behind issuing a second CVE is that it attracts consideration to the truth that individuals who patched CVE-2025-54988 are nonetheless in danger due to the extra susceptible elements listed in CVE-2025-66516.
Thus far, there’s no proof that the XXE injection weak spot in these CVEs is being exploited by attackers within the wild. Nevertheless, the chance is that it will rapidly change ought to the vulnerability be reverse engineered or proofs-of-concept seem.
