stanford-corenlp is vulnerable to xml external entity attacks. The vulnerability exists in the getValidatingXmlParser
function in XMLUtils.java
due to lack of sanitization of XML input containing a reference to an external entity, allowing an attacker to pass malicious schema XML file when SchemaFactory
parses the schema XML file.