Y. Sorry for the noise. Same vulnerability, exactly the same. On Fri, Dec 5, 2025 at 6:00 PM Rajiv Shah via user <[email protected]> wrote:
> Hi, > Would you mind confirming that CVE-2025-66516 is effectively the same as > CVE-2025-54988? Our understanding was that 66516 was issued to clarify > the affected packages (including tika-parsers 1.x) and the remediation > steps (upgrading tika-core as well), but the underlying vulnerable code is > the same. However, we noticed that the ASF submitted 54988 with a CVSSv3 > score of 8.4 (high), while 66516 has a CVSSv4 score of 10.0 (critical). > Given the severity of this vulnerability, we wanted to be completely sure > whether these were the same and whether the mitigations mentioned in > https://lists.apache.org/thread/qkgd43gjnb6gyzvbcq24lz98w0hod75g are > still sufficient. > > Thanks, > Rajiv > > *This communication and any information or attachments it contains is > confidential and is intended solely for its designated recipient(s). If you > received this email in error or are otherwise not the intended recipient, > you are requested to notify the sender and permanently delete this message > along with any attachments and copies immediately. The dissemination, > copying or use of the contents of this communication by or to anyone other > than its designated and intended recipient(s) is strictly prohibited and > may be unlawful. More information can be found at > https://www.cscglobal.com/service/csc/legal > <https://www.cscglobal.com/service/csc/legal>.* > > *For information about how we use your personal data, including your > rights, please see our Privacy Notice and Data Processing Protocol at > cscglobal.com/service/csc/privacy > <https://www.cscglobal.com/service/csc/privacy>.* >
