openSUSE has Tuxguitar 1.4 instead of 1.5.4 According to OWASP XXE Prevention Cheat Sheet <https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html>, this problem can be solved by proper configuration of a parser: DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true); However I don't know where to patch Tuxguitar...