diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
index b949f0abe..a6e3ff5a6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
+import static io.github.pixee.security.XMLInputFactorySecurity.hardenFactory;
 import static java.util.Optional.empty;
 import static java.util.Optional.of;
 
@@ -95,7 +96,7 @@ protected Comments getComments() {
    */
   protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
     var jc = JAXBContext.newInstance(Comment.class);
-    var xif = XMLInputFactory.newInstance();
+    var xif = hardenFactory(XMLInputFactory.newInstance());
 
     if (webSession.isSecurityEnabled()) {
       xif.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant