This vulnerability allows an attacker to carry out XML External Entity injection via a crafted XFA file inside a PDF, affecting Apache Tika's PDF parser module.
Update Apache Tika components to version 3.2.2 or higher, or apply vendor-specific fixes (e.g., Bluemind version 5.3.12 or superior). 54988.rar
CVE-2025-54988 (Critical XXE in Apache Tika tika-core/tika-parsers). This vulnerability allows an attacker to carry out