I received a ticket from a security scanner at work, saying https://github.com/wiremock/wiremock/blob/master/src/main/java/com/github/tomakehurst/wiremock/common/xml/Xml.java may be vulnerable to an XML eXternal Entity injection because it doesn't disable loading external entities. Shall we fix this?

Yes, please do raise PR for this when you have a moment. I suspect this is safe to disable, despite being technically being a breaking change.

Done: https://github.com/wiremock/wiremock/pull/2603