diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index 3fd2729d..e61656ea 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -156,7 +156,7 @@ services:
 
 {% if tika_enabled %}
   fts_attachments:
-    image: apache/tika:2.9.2.1-full
+    image: apache/tika:latest-full
     hostname: tika
     logging:
       driver: journald
diff --git a/towncrier/newsfragments/3903.bugfix b/towncrier/newsfragments/3903.bugfix
new file mode 100644
index 00000000..2a327d39
--- /dev/null
+++ b/towncrier/newsfragments/3903.bugfix
@@ -0,0 +1 @@
+Upgrade Tika to latest to fix CVE-2025-54988 (XXE). You will need to run setup again for the fix to be applied! This is defence in depth rather than something critical as on docker deployments there is no impact.