I don't suppose there are (or can be? Or will be?) patched versions of xmltooling for the 2.5 release? We're still on that one, and upgrading to 2.6 at this point is a slightly bigger effort. I'd really rather patch the vulnerability quicker than I can upgrade to 2.6. Regards, Jan P.S. we're still on 2.5.6. Yes, I know we need to upgrade.