The Hacker News

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

Critical XXE flaw CVE-2025-66516 affects multiple Apache Tika modules, exposing systems and requiring urgent updates.
GitHub

A Roslyn-inspired full-fidelity XML parser with no dependencies and a simple Visual Studio XML language service.

XML DTD is not supported (Roslyn didn't support it either) Code wasn't tuned for performance and allocations, I'm sure a lot can be done to reduce memory consumption by the resulting tree. It should ...