Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-hyu9-rzgz-1yhw
Summary
Apache Tika has XXE vulnerability
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF.

This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways.

First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable.

Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.
Aliases
0
alias CVE-2025-66516
1
alias GHSA-f58c-gq56-vjjf
Fixed_packages
0
url pkg:maven/org.apache.tika/tika-core@3.2.2
purl pkg:maven/org.apache.tika/tika-core@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-core@3.2.2
1
url pkg:maven/org.apache.tika/tika-parser-pdf-module@3.2.2
purl pkg:maven/org.apache.tika/tika-parser-pdf-module@3.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-parser-pdf-module@3.2.2
2
url pkg:maven/org.apache.tika/tika-parsers@2.0.0
purl pkg:maven/org.apache.tika/tika-parsers@2.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-parsers@2.0.0
Affected_packages
0
url pkg:maven/org.apache.tika/tika-core@1.13
purl pkg:maven/org.apache.tika/tika-core@1.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hyu9-rzgz-1yhw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-core@1.13
1
url pkg:maven/org.apache.tika/tika-core@3.2.1
purl pkg:maven/org.apache.tika/tika-core@3.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hyu9-rzgz-1yhw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-core@3.2.1
2
url pkg:maven/org.apache.tika/tika-parser-pdf-module@2.0.0
purl pkg:maven/org.apache.tika/tika-parser-pdf-module@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hyu9-rzgz-1yhw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-parser-pdf-module@2.0.0
3
url pkg:maven/org.apache.tika/tika-parser-pdf-module@3.2.1
purl pkg:maven/org.apache.tika/tika-parser-pdf-module@3.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hyu9-rzgz-1yhw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-parser-pdf-module@3.2.1
4
url pkg:maven/org.apache.tika/tika-parsers@1.13
purl pkg:maven/org.apache.tika/tika-parsers@1.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-azes-yhcs-cuen
1
vulnerability VCID-hyu9-rzgz-1yhw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-parsers@1.13
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-66516
reference_id
reference_type
scores
0
value 0.01579
scoring_system epss
scoring_elements 0.8188
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-66516
1
reference_url https://cve.org/CVERecord?id=CVE-2025-54988
reference_id
reference_type
scores
url https://cve.org/CVERecord?id=CVE-2025-54988
2
reference_url https://github.com/apache/tika
reference_id
reference_type
scores
url https://github.com/apache/tika
3
reference_url https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
reference_id
reference_type
scores
url https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-66516
reference_id CVE-2025-66516
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-66516
5
reference_url https://github.com/advisories/GHSA-f58c-gq56-vjjf
reference_id GHSA-f58c-gq56-vjjf
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f58c-gq56-vjjf
Weaknesses
0
cwe_id 611
name Improper Restriction of XML External Entity Reference
description The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score9.0 - 10.0
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-hyu9-rzgz-1yhw