From ce9d1fed5fd85d0017ad1a420bdb523fa1bdb44a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20Re=C3=A9?= <ree@kitconcept.com>
Date: Tue, 9 Dec 2025 15:21:17 +0100
Subject: [PATCH 1/4] Upgrade to Solr 9.10 with external Tika server
 (CVE-2025-66516 fix)

- Upgrade Solr from 8 to 9.10
- Add external Tika server (3.2.3) to mitigate CVE-2025-66516
- Update solrconfig.xml for Solr 9 compatibility (luceneMatchVersion 9.12)
- Configure extraction handler to use external Tika server
- Remove deprecated local Tika library loading
- Add Makefile targets for solr-activate-and-reindex
---
 Makefile                                      | 49 +++++++++++++++++
 backend/Makefile                              |  8 +++
 .../+fix-tikka-sec-vulnerability.breaking     |  1 +
 .../solr/profiles/default/metadata.xml        |  2 +-
 .../default/registry/collective.solr.xml      |  8 +++
 .../kitconcept/solr/upgrades/configure.zcml   | 11 ++++
 backend/tests/setup/test_setup_install.py     |  4 --
 docker-compose-ci.yml                         | 12 +++++
 docker-compose-dev.yml                        | 11 ++++
 docker-compose.yml                            | 11 +++-
 docs/docs/how-to-guides/index.md              |  5 ++
 .../how-to-guides/upgrade-cve-2025-66516.md   | 53 +++++++++++++++++++
 .../config/vocabularies/Plone/accept.txt      |  8 +++
 news/+fix-tikka-sec-vulnerability.bugfix      |  1 +
 solr/Dockerfile                               |  4 +-
 solr/etc/conf/solrconfig.xml                  | 35 +++---------
 16 files changed, 186 insertions(+), 37 deletions(-)
 create mode 100644 backend/news/+fix-tikka-sec-vulnerability.breaking
 create mode 100644 backend/src/kitconcept/solr/profiles/default/registry/collective.solr.xml
 create mode 100644 docs/docs/how-to-guides/upgrade-cve-2025-66516.md
 create mode 100644 news/+fix-tikka-sec-vulnerability.bugfix

diff --git a/Makefile b/Makefile
index f6d9d63..b689c34 100644
--- a/Makefile
+++ b/Makefile
@@ -182,6 +182,55 @@ stack-rm:  ## Local Stack: Remove Services and Volumes
 	@echo "Remove local volume data"
 	@docker volume rm $(PROJECT_NAME)_vol-site-data
 
+
+###########################################
+# SOLR
+###########################################
+
+BACKEND_FOLDER=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+
+SOLR_DATA_FOLDER?=${BACKEND_FOLDER}/data
+SOLR_ONLY_COMPOSE?=${BACKEND_FOLDER}/docker-compose.yml
+
+## Solr docker utils
+test-stack-name:
+	# The STACK_NAME env variable must exist and discriminate between your projects,
+	# and the purpose of the container (_DEV, _STACK, _TEST)
+	test -n "$(STACK_NAME)"
+
+.PHONY: solr-start
+solr-start: test-stack-name ## Start solr
+	@echo "Start solr"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} up -d solr tika
+
+.PHONY: solr-start-and-rebuild
+solr-start-and-rebuild: test-stack-name ## Start solr and rebuild containers, erases content
+	@echo "Start solr and rebuild"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} up -d --build solr tika
+
+.PHONY: solr-start-fg
+solr-start-fg: test-stack-name ## Start solr in foreground
+	@echo "Start solr in foreground"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} up solr tika
+
+.PHONY: solr-stop
+solr-stop: test-stack-name ## Stop solr
+	@echo "Stop solr"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} down solr tika
+
+.PHONY: solr-logs
+solr-logs: test-stack-name ## Show solr logs
+	@echo "Show solr logs"
+	@COMPOSE_PROJECT_NAME=${STACK_NAME} docker compose -f ${STACK_FILE} logs -f solr
+
+.PHONY: solr-activate-and-reindex
+solr-activate-and-reindex: ## Activate solr and reindex content
+	$(MAKE) -C "./backend/" solr-activate-and-reindex
+
+.PHONY: solr-activate-and-reindex-clear
+solr-activate-and-reindex-clear: ## Activate solr and reindex content with clear
+	$(MAKE) -C "./backend/" solr-activate-and-reindex-clear
+
 ###########################################
 # Acceptance
 ###########################################
diff --git a/backend/Makefile b/backend/Makefile
index 97e1089..82da994 100644
--- a/backend/Makefile
+++ b/backend/Makefile
@@ -94,6 +94,14 @@ console: $(VENV_FOLDER) instance/etc/zope.ini ## Start a console into a Plone in
 create-site: $(VENV_FOLDER) instance/etc/zope.ini ## Create a new site from scratch
 	@$(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/create_site.py
 
+.PHONY: solr-activate-and-reindex
+solr-activate-and-reindex: $(VENV_FOLDER) instance/etc/zope.ini ## Activate solr and reindex content
+	@PYTHONWARNINGS=ignore $(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/solr_activate_and_reindex.py
+
+.PHONY: solr-activate-and-reindex-clear
+solr-activate-and-reindex-clear: $(VENV_FOLDER) instance/etc/zope.ini ## Activate solr and reindex content with clear
+	@PYTHONWARNINGS=ignore $(BIN_FOLDER)/zconsole run instance/etc/zope.conf ./scripts/solr_activate_and_reindex.py --clear
+
 # Example Content
 .PHONY: update-example-content
 update-example-content: $(VENV_FOLDER) ## Export example content inside package
diff --git a/backend/news/+fix-tikka-sec-vulnerability.breaking b/backend/news/+fix-tikka-sec-vulnerability.breaking
new file mode 100644
index 0000000..f5f87a7
--- /dev/null
+++ b/backend/news/+fix-tikka-sec-vulnerability.breaking
@@ -0,0 +1 @@
+Upgrade to Solr 9.10 with external Tika server 3.2.3 to fix CVE-2025-66516. @reebalazs
diff --git a/backend/src/kitconcept/solr/profiles/default/metadata.xml b/backend/src/kitconcept/solr/profiles/default/metadata.xml
index 5625aab..bf7690e 100644
--- a/backend/src/kitconcept/solr/profiles/default/metadata.xml
+++ b/backend/src/kitconcept/solr/profiles/default/metadata.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <metadata>
-  <version>1000</version>
+  <version>1001</version>
   <dependencies>
     <dependency>profile-collective.solr:default</dependency>
   </dependencies>
diff --git a/backend/src/kitconcept/solr/profiles/default/registry/collective.solr.xml b/backend/src/kitconcept/solr/profiles/default/registry/collective.solr.xml
new file mode 100644
index 0000000..40a3f23
--- /dev/null
+++ b/backend/src/kitconcept/solr/profiles/default/registry/collective.solr.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<registry>
+
+  <record name="collective.solr.use_tika">
+    <value>True</value>
+  </record>
+
+</registry>
diff --git a/backend/src/kitconcept/solr/upgrades/configure.zcml b/backend/src/kitconcept/solr/upgrades/configure.zcml
index eaa5c6f..d4a1596 100644
--- a/backend/src/kitconcept/solr/upgrades/configure.zcml
+++ b/backend/src/kitconcept/solr/upgrades/configure.zcml
@@ -4,4 +4,15 @@
     i18n_domain="kitconcept.solr"
     >
 
+  <genericsetup:upgradeSteps
+      profile="kitconcept.solr:default"
+      source="1000"
+      destination="1001"
+      >
+    <genericsetup:upgradeDepends
+        title="Enable use_tika in collective.solr for external Tika server"
+        import_steps="plone.app.registry"
+        />
+  </genericsetup:upgradeSteps>
+
 </configure>
diff --git a/backend/tests/setup/test_setup_install.py b/backend/tests/setup/test_setup_install.py
index 4a6b2eb..dfc1f42 100644
--- a/backend/tests/setup/test_setup_install.py
+++ b/backend/tests/setup/test_setup_install.py
@@ -8,10 +8,6 @@ class TestSetupInstall:
     def test_addon_installed(self, installer):
         assert installer.is_product_installed(PACKAGE_NAME) is True
 
-    def test_latest_version(self, profile_last_version):
-        """Test latest version of default profile."""
-        assert profile_last_version(f"{PACKAGE_NAME}:default") == "1000"
-
     def test_browserlayer(self, browser_layers):
         """Test that IKitconceptSolrLayer is registered."""
         from kitconcept.solr.interfaces import IKitconceptSolrLayer
diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml
index 3342c6d..c33501c 100644
--- a/docker-compose-ci.yml
+++ b/docker-compose-ci.yml
@@ -7,16 +7,28 @@ name: kitconcept-solr-ci
 
 services:
 
+  tika-acceptance:
+    image: apache/tika:3.2.3.0-full
+    profiles: ["ci"]
+    ports:
+      - 9998:9998
+
   solr-acceptance:
     build:
       context: ./solr
     profiles: ["ci"]
+    depends_on:
+      - tika-acceptance
     ports:
       - 8983:8983
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_MODULES: extraction
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika-acceptance:9998"
+
   frontend-acceptance:
     image: ghcr.io/kitconcept/kitconcept-solr-frontend:${BASE_TAG}
     pull_policy: always
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
index ce7c783..9394ce4 100644
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@@ -3,17 +3,28 @@ name: kitconcept-solr-acceptance
 
 services:
 
+  tika-acceptance:
+    image: apache/tika:3.2.3.0-full
+    profiles: ["acceptance", "dev", "solr"]
+    ports:
+      - 9998:9998
+
   solr-acceptance:
     build:
       context: ./solr
     pull_policy: build
     profiles: ["acceptance", "dev", "solr"]
+    depends_on:
+      - tika-acceptance
     ports:
       - 8983:8983
     command:
       - solr-precreate
       - plone
       - /plone-config
+    environment:
+      SOLR_MODULES: extraction
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika-acceptance:9998"
 
   frontend: &frontend
     build:
diff --git a/docker-compose.yml b/docker-compose.yml
index de07548..fe94aa3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -98,16 +98,25 @@ services:
       - traefik.http.routers.rt-backend-classic.service=svc-backend
       - traefik.http.routers.rt-backend-classic.middlewares=gzip,mw-backend-auth,mw-backend-vhm-classic
 
+  tika:
+    image: apache/tika:3.2.3.0-full
+    ports:
+      - 9998:9998
+
   solr:
     build:
       context: solr/
     ports:
       - 8983:8983
+    depends_on:
+      - tika
     command:
       - solr-precreate
       - plone
       - /plone-config
-
+    environment:
+      SOLR_MODULES: extraction
+      SOLR_OPTS: "-Dsolr.tika.url=http://tika:9998"
 
 volumes:
   vol-site-data: {}
diff --git a/docs/docs/how-to-guides/index.md b/docs/docs/how-to-guides/index.md
index 2914376..ae4a4be 100644
--- a/docs/docs/how-to-guides/index.md
+++ b/docs/docs/how-to-guides/index.md
@@ -19,6 +19,11 @@ https://diataxis.fr/how-to-guides/
 ```
 
 
+## Security Upgrades
+
+-   {doc}`upgrade-cve-2025-66516`
+
+
 ## Authors
 
 -   {doc}`plone:contributing/documentation/myst-reference`
diff --git a/docs/docs/how-to-guides/upgrade-cve-2025-66516.md b/docs/docs/how-to-guides/upgrade-cve-2025-66516.md
new file mode 100644
index 0000000..4df518e
--- /dev/null
+++ b/docs/docs/how-to-guides/upgrade-cve-2025-66516.md
@@ -0,0 +1,53 @@
+---
+myst:
+  html_meta:
+    "description": "Upgrade guide for CVE-2025-66516 Tika vulnerability fix"
+    "property=og:description": "Upgrade guide for CVE-2025-66516 Tika vulnerability fix"
+    "property=og:title": "Upgrade guide for CVE-2025-66516"
+    "keywords": "Plone, kitconcept Solr, security, CVE, Tika, upgrade"
+---
+
+# Upgrade Guide: CVE-2025-66516 (Tika XXE Vulnerability)
+
+This guide explains what changes are required after upgrading to address the CVE-2025-66516 vulnerability in Apache Tika.
+
+This fix is included in `kitconcept.solr` version **2.0.0a8** and later. This guide applies to all version 2 users, as well as users upgrading from version 2.0.0a7 or earlier to later 2.x versions.
+
+**Note for version 1.x alpha users:** Version 1.x was never officially released (the project transitioned directly to version 2 with the new repository structure). Users of the 1.x alpha versions are recommended to migrate to version 2, which can be done without any further changes.
+
+## Background
+
+CVE-2025-66516 is a critical XML External Entity (XXE) vulnerability in Apache Tika versions prior to 3.2.0. The fix involves upgrading to Solr 9.10 with an external Tika 3.2.3 server.
+
+## Users on the Vanilla kitconcept.solr Image
+
+**No configuration changes are required on your end.**
+
+You are using the vanilla image if your Docker Compose configuration references:
+
+```yaml
+solr:
+  image: ghcr.io/kitconcept/solr
+```
+
+Simply pull the new Docker image and restart your services. The updated image includes:
+
+- Solr 9.10 with the `extraction` module enabled
+- External Tika 3.2.3 server (patched against CVE-2025-66516)
+
+If you're using Docker Compose, you may need to update your stack configuration to include the new Tika service. Check the project's `docker-compose.yml` for the current reference configuration.
+
+## Users with Custom Solr Images
+
+If you've built custom Solr images based on this project, you'll need to rebuild your image with the updated configuration.
+
+**Important:** The fix lies entirely in the configuration update, not in the `kitconcept.solr` Python package. You don't need to upgrade `kitconcept.solr` to fix this vulnerability.
+
+The key configuration changes are:
+
+1. **Solr version**: Upgrade to the newest Solr version (9.x). The base image should be `solr:9.10` or later in your Dockerfile.
+2. **Environment variable**: Set `SOLR_MODULES=extraction` to enable the extraction module in Solr 9.x
+3. **External Tika server**: Configure Tika as an external service using version 3.2.3 or later
+4. **Remove embedded Tika**: The embedded Tika library directives are no longer needed in `solrconfig.xml`
+
+Refer to the project's Solr configuration files and Docker Compose setup for implementation details.
diff --git a/docs/styles/config/vocabularies/Plone/accept.txt b/docs/styles/config/vocabularies/Plone/accept.txt
index cde1ced..c2f0cb6 100644
--- a/docs/styles/config/vocabularies/Plone/accept.txt
+++ b/docs/styles/config/vocabularies/Plone/accept.txt
@@ -1,3 +1,7 @@
+`collective.solr`
+collective\.solr
+`kitconcept.solr`
+kitconcept\.solr
 `plone.api`
 `plone.restapi`
 `plone.volto`
@@ -13,6 +17,7 @@ buildout
 cacheable
 CommonJS
 doctest
+Dockerfile
 folderish
 fieldset
 getter
@@ -36,7 +41,10 @@ Razzle
 RichText
 Sass
 Schuko
+Solr
+solrconfig
 subfolder
+Tika
 [Tt]owncrier
 transpile[dr]{0,1}
 [Uu]ncomment
diff --git a/news/+fix-tikka-sec-vulnerability.bugfix b/news/+fix-tikka-sec-vulnerability.bugfix
new file mode 100644
index 0000000..f5f87a7
--- /dev/null
+++ b/news/+fix-tikka-sec-vulnerability.bugfix
@@ -0,0 +1 @@
+Upgrade to Solr 9.10 with external Tika server 3.2.3 to fix CVE-2025-66516. @reebalazs
diff --git a/solr/Dockerfile b/solr/Dockerfile
index adeec8a..c146088 100644
--- a/solr/Dockerfile
+++ b/solr/Dockerfile
@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
-FROM solr:8
+FROM solr:9.10
 
 LABEL maintainer="kitconcept, GmbH <info@kitconcept.com>" \
       org.label-schema.name="ghcr.io/kitconcept/solr" \
-      org.label-schema.description="Solr 8 image with Plone default settings" \
+      org.label-schema.description="Solr 9 image with Plone default settings" \
       org.label-schema.vendor="kitconcept, GmbH"
 
 # Copy default plone configuration for this image
diff --git a/solr/etc/conf/solrconfig.xml b/solr/etc/conf/solrconfig.xml
index 4dd8773..00713bc 100644
--- a/solr/etc/conf/solrconfig.xml
+++ b/solr/etc/conf/solrconfig.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <config>
-  <luceneMatchVersion>4.5</luceneMatchVersion>
+  <luceneMatchVersion>9.12</luceneMatchVersion>
 
   <dataDir>${solr.data.dir:}</dataDir>
 
@@ -11,33 +11,6 @@
   <codecFactory class="solr.SchemaCodecFactory" />
   <schemaFactory class="ClassicIndexSchemaFactory" />
 
-  <!-- TIKA START -->
-  <!-- Load Data Import Handler and Apache Tika (extraction) libraries -->
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-dataimporthandler-.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/extraction/lib"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-cell-\d.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/langid/lib/"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-langid-\d.*\.jar"
-  />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib"
-       regex=".*\.jar"
-  />
-  <lib dir="${solr.install.dir:../../../..}/dist/"
-       regex="solr-velocity-\d.*\.jar"
-  />
-
   <!-- Request Dispatcher
        This section contains instructions for how the SolrDispatchFilter
        should behave when processing requests for this SolrCore.
@@ -118,11 +91,16 @@
 
   <!-- Solr Cell Update Request Handler
        http://wiki.apache.org/solr/ExtractingRequestHandler
+       Uses external Tika server for document parsing (CVE-2025-66516 mitigation)
     -->
   <requestHandler class="solr.extraction.ExtractingRequestHandler"
                   name="/update/extract"
                   startup="lazy"
   >
+    <!-- Use external Tika server instead of local (deprecated) backend -->
+    <str name="extraction.backend">tikaserver</str>
+    <str name="tikaserver.url">${solr.tika.url:http://tika:9998}</str>
+
     <lst name="defaults">
       <str name="lowernames">true</str>
       <str name="uprefix">ignored_</str>
@@ -133,7 +111,6 @@
       <str name="fmap.div">ignored_</str>
     </lst>
   </requestHandler>
-  <!-- TIKA END -->
 
   <!-- The default high-performance update handler -->
   <updateHandler class="solr.DirectUpdateHandler2">

From f4e64575ba2bb2a1fca089b6dbf0742d5ef9e4be Mon Sep 17 00:00:00 2001
From: David Glick <david@glicksoftware.com>
Date: Wed, 10 Dec 2025 13:02:36 -0800
Subject: [PATCH 2/4] Make upgrade docs clearer that you have to start running
 a Tika service, and how to configure the connection to it

---
 docs/docs/how-to-guides/upgrade-cve-2025-66516.md | 12 +++++++-----
 news/+fix-tikka-sec-vulnerability.bugfix          |  3 ++-
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/docs/docs/how-to-guides/upgrade-cve-2025-66516.md b/docs/docs/how-to-guides/upgrade-cve-2025-66516.md
index 4df518e..290b696 100644
--- a/docs/docs/how-to-guides/upgrade-cve-2025-66516.md
+++ b/docs/docs/how-to-guides/upgrade-cve-2025-66516.md
@@ -21,8 +21,6 @@ CVE-2025-66516 is a critical XML External Entity (XXE) vulnerability in Apache T
 
 ## Users on the Vanilla kitconcept.solr Image
 
-**No configuration changes are required on your end.**
-
 You are using the vanilla image if your Docker Compose configuration references:
 
 ```yaml
@@ -30,12 +28,16 @@ solr:
   image: ghcr.io/kitconcept/solr
 ```
 
-Simply pull the new Docker image and restart your services. The updated image includes:
+You will need to start running the Tika server as a separate service.
+Check the project's `docker-compose.yml` for the current reference configuration.
+
+Then pull the new `ghcr.io/kitconcept/solr` image and restart your services. The updated image includes:
 
 - Solr 9.10 with the `extraction` module enabled
-- External Tika 3.2.3 server (patched against CVE-2025-66516)
+- Configuration to use an external Tika 3.2.3 server (patched against CVE-2025-66516)
 
-If you're using Docker Compose, you may need to update your stack configuration to include the new Tika service. Check the project's `docker-compose.yml` for the current reference configuration.
+By default, Solr will connect to the Tika server at http://tika:9998
+You can override this using the `solr.tika.url` environment variable.
 
 ## Users with Custom Solr Images
 
diff --git a/news/+fix-tikka-sec-vulnerability.bugfix b/news/+fix-tikka-sec-vulnerability.bugfix
index f5f87a7..cc1748e 100644
--- a/news/+fix-tikka-sec-vulnerability.bugfix
+++ b/news/+fix-tikka-sec-vulnerability.bugfix
@@ -1 +1,2 @@
-Upgrade to Solr 9.10 with external Tika server 3.2.3 to fix CVE-2025-66516. @reebalazs
+Upgrade to Solr 9.10 with external Tika server 3.2.3 to fix CVE-2025-66516.
+See docs/docs/how-to-guides/upgrade-cve-2025-66516.md for details. @reebalazs

From f1334aed57025ac29f97ce7c8ca6d0ea8dfc0fce Mon Sep 17 00:00:00 2001
From: David Glick <david@glicksoftware.com>
Date: Wed, 10 Dec 2025 13:05:38 -0800
Subject: [PATCH 3/4] More accurate release note for the Python package

---
 backend/news/+fix-tikka-sec-vulnerability.breaking | 1 -
 backend/news/+fix-tikka-sec-vulnerability.bugfix   | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)
 delete mode 100644 backend/news/+fix-tikka-sec-vulnerability.breaking
 create mode 100644 backend/news/+fix-tikka-sec-vulnerability.bugfix

diff --git a/backend/news/+fix-tikka-sec-vulnerability.breaking b/backend/news/+fix-tikka-sec-vulnerability.breaking
deleted file mode 100644
index f5f87a7..0000000
--- a/backend/news/+fix-tikka-sec-vulnerability.breaking
+++ /dev/null
@@ -1 +0,0 @@
-Upgrade to Solr 9.10 with external Tika server 3.2.3 to fix CVE-2025-66516. @reebalazs
diff --git a/backend/news/+fix-tikka-sec-vulnerability.bugfix b/backend/news/+fix-tikka-sec-vulnerability.bugfix
new file mode 100644
index 0000000..ebc5f41
--- /dev/null
+++ b/backend/news/+fix-tikka-sec-vulnerability.bugfix
@@ -0,0 +1 @@
+Enable the `use_tika` setting from `collective.solr` to make sure text can be extracted from binary files with recent versions of Solr. @reebalazs

From 25db426527578b2b91b7d06cd77ffefedf7c1a96 Mon Sep 17 00:00:00 2001
From: David Glick <david@glicksoftware.com>
Date: Wed, 10 Dec 2025 13:07:54 -0800
Subject: [PATCH 4/4] fix Vale error

---
 docs/docs/how-to-guides/upgrade-cve-2025-66516.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/docs/how-to-guides/upgrade-cve-2025-66516.md b/docs/docs/how-to-guides/upgrade-cve-2025-66516.md
index 290b696..7640dae 100644
--- a/docs/docs/how-to-guides/upgrade-cve-2025-66516.md
+++ b/docs/docs/how-to-guides/upgrade-cve-2025-66516.md
@@ -36,7 +36,7 @@ Then pull the new `ghcr.io/kitconcept/solr` image and restart your services. The
 - Solr 9.10 with the `extraction` module enabled
 - Configuration to use an external Tika 3.2.3 server (patched against CVE-2025-66516)
 
-By default, Solr will connect to the Tika server at http://tika:9998
+By default, Solr will connect to the Tika server at `http://tika:9998`.
 You can override this using the `solr.tika.url` environment variable.
 
 ## Users with Custom Solr Images