Looking through recent mails on this list with XXE in the toppic, I see: * XXE in Apache Struts due to insecure defaults in Java's standard library: CVE-2025-68493 * XXE in Apache SIS due to insecure defaults in Java's standard library: CVE-2025-68280 * XXE in Apache Tika due to insecure defaults in Java's standard library: CVE-2025-54988, CVE-2025-66516 * XXE in Apache Jackrabbit due to insecure defaults in Java's standard library: CVE-2025-53689 * XXE in Apache Ambari due to insecure defaults in Java's standard library: CVE-2025-23195 * XXE in Apache XML Graphics FOP due to insecure defaults in Java's standard library: CVE-2024-28168 * XXE in Apache Drill due to insecure defaults in Java's standard library: CVE-2023-48362
Also recently: my research on prevalent XXEs in electronic invoicing software, largely due to insecure defaults in Java and Saxon (which is based on Java): https://invoice.secvuln.info/ I'm sensing a pattern here. Maybe Apache should audit all their uses of Apache's XML standard library. And, maybe, having insecure defaults in Java's standard library is not so great. -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/
