Apache Sling XSS protection is vulnerable to XML External Entity (XXE) processing attacks. The library uses an insecure SAX parser to validate strings, allowing a malicious user to read sensitive data in the filesystem, conduct port-scanning behind the firewall or execute arbitrary code.