So there is a thing or two that the IT industry can learn from software projects like OpenBSD.
OpenBSD has been advocating for this for years now :-) On Mon, 12 Jan 2026 at 18:58, Hanno Böck <[email protected]> wrote: > > Looking through recent mails on this list with XXE in the toppic, I see: > > * XXE in Apache Struts due to insecure defaults in Java's standard > library: CVE-2025-68493 > * XXE in Apache SIS due to insecure defaults in Java's standard > library: CVE-2025-68280 > * XXE in Apache Tika due to insecure defaults in Java's standard > library: CVE-2025-54988, CVE-2025-66516 > * XXE in Apache Jackrabbit due to insecure defaults in Java's standard > library: CVE-2025-53689 > * XXE in Apache Ambari due to insecure defaults in Java's standard > library: CVE-2025-23195 > * XXE in Apache XML Graphics FOP due to insecure defaults in Java's > standard library: CVE-2024-28168 > * XXE in Apache Drill due to insecure defaults in Java's standard > library: CVE-2023-48362 > > Also recently: my research on prevalent XXEs in electronic invoicing > software, largely due to insecure defaults in Java and Saxon (which is > based on Java): https://invoice.secvuln.info/ > > I'm sensing a pattern here. Maybe Apache should audit all their uses of > Apache's XML standard library. And, maybe, having insecure defaults in > Java's standard library is not so great. > > -- > Hanno Böck - Independent security researcher > https://itsec.hboeck.de/ > https://badkeys.info/
