CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Atlassian Patches Critical Apache Tika Flaw

Atlassian has released software updates for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, and Jira. The post Atlassian Patches Critical Apache Tika Flaw appeared first on SecurityWeek.

Atlassian

Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its products, including critical-severity flaws.

The first security defect that stands out is CVE-2025-66516 (CVSS score of 10/10), a critical-severity XML External Entity (XXE) injection bug in Apache Tika.

Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the universal parser, the flaw was disclosed in early December.

It can be exploited via crafted XFA files placed inside PDF files, potentially leading to information leaks, denial-of-service (DoS), SSRF attacks, or remote code execution (RCE).

Atlassian products that use Tika include Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management. The company has released fixes for all six.

The list of critical-severity issues that Atlassian resolved this month also includes CVE-2022-37601 (CVSS score of 9.8), a prototype pollution vulnerability in webpack loader-utils, which is used in Confluence.

Another critical prototype pollution bug was patched in Jira and Jira Service Management. Tracked as CVE-2021-39227 (CVSS score of 9.8), it affects the lightweight graphic library ZRender.

Atlassian’s fresh round of fixes also resolves over two dozen high-severity DoS, XXE, SSRF, file inclusion, prototype pollution, improper authorization, information disclosure, improper input validation, and RCE flaws.

Software updates that fix these defects were released for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management data center and server products.

Because the weaknesses were found in third-party dependencies, they impact all Atlassian products that rely on them.

Users are advised to apply the patches as soon as possible. Additional information on the bugs and their fixes can be found in Atlassian’s December 2025 security advisory.

Related: Gladinet CentreStack Flaw Exploited to Hack Organizations

Related: Recent GeoServer Vulnerability Exploited in Attacks

Related: Notepad++ Patches Updater Flaw After Reports of Traffic Hijacking

Related: IBM Patches Over 100 Vulnerabilities

Latest News

CYBERNEWSMEDIAPublisher