We received quite a few false positive CVE reports about XXE (XML external entity) attacks recently. This seems to be the result of code search and automated tools that look for SAXParserFactory, TransformerFactory or DocumentBuilderFactory usage, without considering usage or context.
in Spring Framework, all XML parsing of "user content" is done with the external entities support turned off by default. Other places are about internal application usage (such as parsing XML configuration) and does not qualify as privilege escalation.
We should add dedicated comments in the source code to prevent future invalid reports in this area.