Dear @hunterhacker , I just noticed these two warnings here:

Hi @DeniseSl22 - Good catch. I'll add it to my long list of things to do in my life. If you're in a hurry you could test with the Xerces 2.12.2 and see how well things work and submit a PR.

@hunterhacker thank you for getting back to me so quickly! I know the feeling of long to-do lists. If I have time I will give it a PR a try (but can't make any promises).

What could be more important than this @hunterhacker ! ... plenty of things I'm sure, but would really appreciate if this could be addressed... any idea when you will be able to look into it?

Both vulnerabilities seem to be build time vulnerabilities against Xerces 2.11 not required at runtime. Nothing to worry about IMO, but of course, I can foresee QSAs jumping out of joy with these nice new two entries in their reports.

I tried latest version 2.12.2 that dragged me to upgrade xml-apis to 1.3.04 and just 26 out of 1093 failed.
With the existing libraries, only 13 out of 1093 fail, but perhaps that's something in my setup (built using JDK8).

I'm attaching attaching the JUnit reports for the existing an upgraded runs, so that you can gauge the caliber of the changes that might be involved in upgrading these libraries.

Existing version

New Xerces and XML-APIS

I can send a PR if you want those handy @hunterhacker .