Critical XXE flaw threatens widely used parsing tools.

A newly disclosed Apache Tika vulnerability allows attackers to trigger XXE injection using crafted XFA content embedded in PDF files. The issue affects multiple Tika modules and carries a maximum CVSS score due to the potential for data leaks, SSRF, denial‑of‑service, or even remote code execution. Project maintainers say the flaw broadens the scope of an earlier XXE bug and required coordinated fixes across core and parser components. Patches are now available, and users are urged to update because Tika’s modules are embedded in many search, content management, and analysis systems.

Read more:

https://www.securityweek.com/critical-apache-tika-vulnerability-leads-to-xxe-injection/