diff --git a/src/main/java/me/hao0/common/xml/XmlReaders.java b/src/main/java/me/hao0/common/xml/XmlReaders.java
index b877ce8..c499cd1 100644
--- a/src/main/java/me/hao0/common/xml/XmlReaders.java
+++ b/src/main/java/me/hao0/common/xml/XmlReaders.java
@@ -24,7 +24,10 @@ public class XmlReaders {
 
     static {
         try {
-            builder =  DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+            // 禁用XML 外部实体注入
+            documentBuilderFactory.setExpandEntityReferences(false);
+            builder =  documentBuilderFactory.newDocumentBuilder();
         } catch (ParserConfigurationException e) {
             throw new XmlException("init xml failed");
         }