Critical Apache Tika Vulnerability: CVE-2025-66516 Enables XXE Injection

CVE-2025-66516 is a critical XXE vulnerability in Apache Tika (CVSS 10.0) affecting tika-core, tika-parser-pdf-module, and tika-parsers that can be exploited by processing a crafted PDF containing XFA content to perform arbitrary file reads, SSRF, or cause DoS; organizations must upgrade tika-core to 3.2.2 (and tika-parsers to 2.0.0 for 1.x users), audit transitive dependencies, and apply mitigations such as disabling PDF parsing, sandboxing, and network restrictions while monitoring for the provided IOCs.