ALL POSTS

Key Findings A new vulnerability, CVE-2025-68493, has been discovered in the Apache Struts 2 web application framework. The flaw, which affects multiple versions of Struts 2, allows for XML External Entity (XXE) injection attacks. The vulnerability can lead to data disclosure, denial of service, and server-side request forgery (SSRF). The issue stems from improper validation of XML configurations in the XWork component of Struts 2. Background Apache Struts 2 is a popular open

Key Findings The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting the widely used OSGeo GeoServer software to its Known Exploited Vulnerabilities (KEV) Catalog. The flaw, tracked as CVE-2025-58360, is an XML External Entity (XXE) vulnerability that attackers are actively exploiting to breach networks and steal sensitive data. The vulnerability lies within GeoServer's handling of XML input, allowing attackers to define e

Key Findings A critical XXE vulnerability (CVE-2025-66516) with a CVSS score of 10.0 was discovered in Apache Tika The vulnerability allows XML external entity attacks and affects Tika's core, PDF, and parser modules Attackers can embed a malicious XFA file inside a PDF to trigger the XXE injection in Tika Background Apache Tika is an open-source content analysis toolkit used to extract text, metadata, and structured information from various file types Tika is widely used in

Key Findings A critical XML external entity (XXE) vulnerability, tracked as CVE-2025-66516, has been discovered in the Apache Tika toolkit. The vulnerability has a CVSS score of 10.0, indicating maximum severity. The flaw allows attackers to carry out XXE injection attacks by exploiting a crafted XFA file within a PDF document. The vulnerability affects multiple Apache Tika components, including the tika-core, tika-parser-pdf-module, and tika-parsers modules. This vulnerabili