Vulnerabilities

Atlassian Patches Critical Apache Tika Flaw

Atlassian has released software updates for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, and Jira.

Published

Atlassian

Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its products, including critical-severity flaws.

The first security defect that stands out is CVE-2025-66516 (CVSS score of 10/10), a critical-severity XML External Entity (XXE) injection bug in Apache Tika.

Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the universal parser, the flaw was disclosed in early December.

It can be exploited via crafted XFA files placed inside PDF files, potentially leading to information leaks, denial-of-service (DoS), SSRF attacks, or remote code execution (RCE).

Atlassian products that use Tika include Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management. The company has released fixes for all six.

The list of critical-severity issues that Atlassian resolved this month also includes CVE-2022-37601 (CVSS score of 9.8), a prototype pollution vulnerability in webpack loader-utils, which is used in Confluence.

Advertisement. Scroll to continue reading.

Another critical prototype pollution bug was patched in Jira and Jira Service Management. Tracked as CVE-2021-39227 (CVSS score of 9.8), it affects the lightweight graphic library ZRender.

Atlassian’s fresh round of fixes also resolves over two dozen high-severity DoS, XXE, SSRF, file inclusion, prototype pollution, improper authorization, information disclosure, improper input validation, and RCE flaws.

Software updates that fix these defects were released for Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira, and Jira Service Management data center and server products.

Because the weaknesses were found in third-party dependencies, they impact all Atlassian products that rely on them.

Users are advised to apply the patches as soon as possible. Additional information on the bugs and their fixes can be found in Atlassian’s December 2025 security advisory.

Related: Gladinet CentreStack Flaw Exploited to Hack Organizations

Related: Recent GeoServer Vulnerability Exploited in Attacks

Related: Notepad++ Patches Updater Flaw After Reports of Traffic Hijacking

Related: IBM Patches Over 100 Vulnerabilities

In this article:

Related Content

Atlassian security updates

Vulnerabilities

Atlassian, GitLab, Zoom Release Security Patches

Fixes were rolled out for over two dozen vulnerabilities, including critical- and high-severity bugs.

January 22, 2026

Vulnerabilities

High-Severity Vulnerabilities Patched by Cisco, Atlassian

Cisco has resolved a high-severity vulnerability in Meraki MX and Meraki Z devices. Atlassian pushed patches for multiple third-party dependencies.

June 19, 2025

Vulnerabilities

GitLab, Atlassian Patch High-Severity Vulnerabilities

GitLab and Atlassian have released patches for over a dozen vulnerabilities in their products, including high-severity bugs.

May 22, 2025

Vulnerabilities

Vulnerabilities Patched in Atlassian, Cisco Products

Atlassian and Cisco have released patches for multiple high-severity vulnerabilities, including remote code execution bugs.

April 17, 2025

Vulnerabilities

Atlassian Patches Critical Vulnerabilities in Confluence, Crowd

Atlassian has released patches for 12 critical- and high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd, and Jira.

February 20, 2025

Vulnerabilities

Atlassian, Splunk Patch High-Severity Vulnerabilities

Atlassian and Splunk on Tuesday announced patches for over two dozen vulnerabilities, including high-severity flaws.

December 11, 2024

Vulnerabilities

Atlassian Patches Vulnerabilities in Bitbucket, Confluence, Jira

Atlassian has released patches for high-severity vulnerabilities in Bitbucket, Confluence, and Jira Service Management.

October 21, 2024

Vulnerabilities

Atlassian Patches Vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd

Atlassian’s September 2024 monthly security bulletin details multiple high-severity vulnerabilities in four products.

September 19, 2024

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version