The version of dom4j that we use allows External Entities by default which might enable XXE attacks.
Dom4j should either be updated, or configured properly.