SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Atlassian Patches Critical Apache Tika Flaw

Atlassian has released software updates for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, and Jira.
Atlassian

Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its products, including critical-severity flaws.

The first security defect that stands out is CVE-2025-66516 (CVSS score of 10/10), a critical-severity XML External Entity (XXE) injection bug in Apache Tika.

Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the universal parser, the flaw was disclosed in early December.

It can be exploited via crafted XFA files placed inside PDF files, potentially leading to information leaks, denial-of-service (DoS), SSRF attacks, or remote code execution (RCE).

Atlassian products that use Tika include Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management. The company has released fixes for all six.

The list of critical-severity issues that Atlassian resolved this month also includes CVE-2022-37601 (CVSS score of 9.8), a prototype pollution vulnerability in webpack loader-utils, which is used in Confluence.

Advertisement. Scroll to continue reading.

Another critical prototype pollution bug was patched in Jira and Jira Service Management. Tracked as CVE-2021-39227 (CVSS score of 9.8), it affects the lightweight graphic library ZRender.

Atlassian’s fresh round of fixes also resolves over two dozen high-severity DoS, XXE, SSRF, file inclusion, prototype pollution, improper authorization, information disclosure, improper input validation, and RCE flaws.

Software updates that fix these defects were released for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management data center and server products.

Because the weaknesses were found in third-party dependencies, they impact all Atlassian products that rely on them.

Users are advised to apply the patches as soon as possible. Additional information on the bugs and their fixes can be found in Atlassian’s December 2025 security advisory.

Related: Gladinet CentreStack Flaw Exploited to Hack Organizations

Related: Recent GeoServer Vulnerability Exploited in Attacks

Related: Notepad++ Patches Updater Flaw After Reports of Traffic Hijacking

Related: IBM Patches Over 100 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: How Modern Breaches Bypass MFA and Evade Detection
June 17, 2026

Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.

Register

Webinar: Modern Exposure Validation in the AI Era
June 24, 2026

AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.

Register

People on the Move

Stephen Garcia has been named Chief Information Security Officer at BreachRx.

Kasper Lindgaard has been appointed Vice President of Security Strategy at CoreView.

Chaim Mazal has been named Chief Information Security Officer at GitLab.

More People On The Move

Expert Insights

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.