Hi everyone!
Today, we have released Enonic XP 7.15.4. This is a security release to fix a potential vulnerability that was reported last week: Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF · CVE-2025-54988 · GitHub Advisory Database · GitHub. Through code in the bundle Apache Tika, Enonic XP may be vulnerable to attacks through PDFs stored in the internal repos, for instance through an upload via Content Studio. To exploit this vulnerability, somebody with access to admin must upload the malicious PDF to XP. The fix in 7.15.4 ensures the malicious code in the PDF can no longer be exploited.
If you are not in control of the source of all PDFs on your site, we recommend upgrading.
The change log is found here: Release Enonic XP Distro 7.15.4 · enonic/xp-distro · GitHub