In jgraphx (mxGraph) before 3.7.6, the SAXParserFactory instance in mxGraphViewImageReader.java:convert() is missing flags to prevent XML External Entity (XXE) attacks. Upstream Issue: https://github.com/jgraph/mxgraph/issues/124 Upstream Commit: https://bitbucket.org/jgraph/mxgraph2/commits/7d159ca3259b961cbb1c51b4ea42cb408c624ff1
Created jgraphx tracking bugs for this issue: Affects: fedora-all [bug 1550354] Affects: epel-6 [bug 1550355]