CVE-2025-66516 is a critical vulnerability affecting Apache Tika, with a maximum CVSS score of 10.0. It allows attackers to exploit XML External Entity (XXE) attacks by embedding malicious files within PDFs. This vulnerability impacts multiple Tika components, including tika-core (versions 1.13 to 3.2.1), tika-pdf-module (2.0.0 to 3.2.1), and tika-parsers (1.13 to 1.28.5). Users who only updated the PDF parser without upgrading the core component to version 3.2.2 or later remain vulnerable. The flaw is part of a troubling trend in 2025, where multiple Apache products faced severe security issues. Earlier vulnerabilities, such as CVE-2025-24813, demonstrated the speed at which attackers exploited weaknesses in Apache Tomcat. The latest XXE vulnerability in Tika broadens the attack surface, making swift patching essential for users. Failure to address this risk could lead to unauthorized file access or even remote code execution. This vulnerability shares a root cause with CVE-2025-54988 but extends the potential impact to more packages. Users are advised to update all affected modules immediately to mitigate risks. The advisory also highlights that earlier updates may not have covered the 1.x release line, which includes the PDF parser, leaving many systems exposed.