Vulnerability Apache Tika 1.13 < 3.2.2 XXE (CVE-2025-66516) and Apache Log4j 2.0-beta9 < 2.25.3 MitM in VA scan report of server

Ravinder07Sharma · February 3, 2026, 11:51am

we are running Elasticsearch-8.17.10 on 6 RHEL 8 servers. But we are getting vulnerability Apache Tika 1.13 < 3.2.2 XXE (CVE-2025-66516) and Apache Log4j 2.0-beta9 < 2.25.3 MitM in VA scan report of server. log4j vulnerability is not getting fixed by upgrading elasticsearch to version 8.19.10.How to fix these vulnerabilities?

Nguy_n_Trung_Nguyen · February 9, 2026, 10:09am

Hello, I’m also facing the same issue as you. I’ve upgraded to version 8.19.11, but the security vulnerability is still present. Have you managed to resolve this problem yet? If so, please share how you fixed it with me.

Topic		Replies	Views
Elasticsearch Log4j vulnerability resolution for 8.19.X version Elastic Search	5	35	February 16, 2026
Apache Log4j 2.0 < 2.3.2 / 2.4 < 2.12.4 / 2.13 < 2.17.1 RCE Elasticsearch	7	675	February 17, 2023
Apache Log4j2 vulnerability Elasticsearch	4	1188	January 19, 2022
Lucene vulnerability in elastic search Elasticsearch	2	143	November 14, 2024
Elastic Search 1.7.1 Log4j2 Vulnerability Fix Elasticsearch	1	305	January 21, 2022

Vulnerability Apache Tika 1.13 < 3.2.2 XXE (CVE-2025-66516) and Apache Log4j 2.0-beta9 < 2.25.3 MitM in VA scan report of server

Related topics