Hi all — we’ve been remediating CVE-2025-54988 and CVE-2025-66516, which affect the tika-core 1.28.x bundle shipped with Lucee. The fix is upgrading to tika-core 3.2.2.
Unlike log4j, there’s no existing lucee/osgi-bundle-tika-core repository to submit a PR against. I’ve built and tested a wrapper pom.xml (same pattern as the other osgi-bundle-* repos) and published it
here:
We’ve run this in production against Lucee 7.0.3.43 in a hardened Kubernetes environment. Would the Lucee team be willing to create a lucee/osgi-bundle-tika-core repo so I can submit a proper PR?
(I’ve also submitted PRs to lucee/osgi-bundle-log4j-api and lucee/osgi-bundle-log4j-core to bump log4j from 2.20.0 to 2.25.4 for CVE-2026-34480.)