diff --git a/scm-dao-xml/src/main/java/sonia/scm/xml/XmlStreams.java b/scm-dao-xml/src/main/java/sonia/scm/xml/XmlStreams.java
index 4b3d9b0f28..c8c5240f88 100644
--- a/scm-dao-xml/src/main/java/sonia/scm/xml/XmlStreams.java
+++ b/scm-dao-xml/src/main/java/sonia/scm/xml/XmlStreams.java
@@ -52,7 +52,9 @@ public final class XmlStreams {
   }
 
   private static XMLStreamReader createReader(Reader reader) throws XMLStreamException {
-    return XMLInputFactory.newInstance().createXMLStreamReader(reader);
+    XMLInputFactory factory = XMLInputFactory.newInstance();
+    factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+    return factory.createXMLStreamReader(reader);
   }