diff -urEbwB jgit-5.11.0.202103091610-r.orig/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java jgit-5.11.0.202103091610-r/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java
--- jgit-5.11.0.202103091610-r.orig/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java	2025-06-25 16:24:04.047615423 +0200
+++ jgit-5.11.0.202103091610-r/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java	2025-06-25 16:44:36.017221393 +0200
@@ -24,6 +24,9 @@
 import java.util.Map;
 import java.util.Set;
 
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
+
 import org.eclipse.jgit.annotations.NonNull;
 import org.eclipse.jgit.api.errors.GitAPIException;
 import org.eclipse.jgit.gitrepo.RepoProject.CopyFile;
@@ -137,8 +140,12 @@
 		xmlInRead++;
 		final XMLReader xr;
 		try {
-			xr = XMLReaderFactory.createXMLReader();
-		} catch (SAXException e) {
+			SAXParserFactory spf = SAXParserFactory.newInstance();
+			spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			xr = spf.newSAXParser().getXMLReader();
+		} catch (SAXException | ParserConfigurationException e) {
 			throw new IOException(JGitText.get().noXMLParserAvailable, e);
 		}
 		xr.setContentHandler(this);
diff -urEbwB jgit-5.11.0.202103091610-r.orig/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java jgit-5.11.0.202103091610-r/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java
--- jgit-5.11.0.202103091610-r.orig/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java	2025-06-25 16:24:04.059648144 +0200
+++ jgit-5.11.0.202103091610-r/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java	2025-06-25 16:43:58.800496097 +0200
@@ -50,6 +50,8 @@
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
 
 import org.eclipse.jgit.internal.JGitText;
 import org.eclipse.jgit.lib.Constants;
@@ -683,8 +685,20 @@
 
 					final XMLReader xr;
 					try {
-						xr = XMLReaderFactory.createXMLReader();
-					} catch (SAXException e) {
+						SAXParserFactory saxParserFactory = SAXParserFactory
+								.newInstance();
+						saxParserFactory.setNamespaceAware(true);
+						saxParserFactory.setFeature(
+								"http://xml.org/sax/features/external-general-entities", //$NON-NLS-1$
+								false);
+						saxParserFactory.setFeature(
+								"http://xml.org/sax/features/external-parameter-entities", //$NON-NLS-1$
+								false);
+						saxParserFactory.setFeature(
+								"http://apache.org/xml/features/disallow-doctype-decl", //$NON-NLS-1$
+								true);
+						xr = saxParserFactory.newSAXParser().getXMLReader();
+					} catch (SAXException | ParserConfigurationException e) {
 						throw new IOException(
 								JGitText.get().noXMLParserAvailable, e);
 					}