diff --git a/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/controller/PlatformFileInfoController.java b/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/controller/PlatformFileInfoController.java
index b3e4689901..cb67c629c3 100644
--- a/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/controller/PlatformFileInfoController.java
+++ b/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/controller/PlatformFileInfoController.java
@@ -34,6 +34,9 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.xml.XMLConstants;
+import javax.xml.stream.XMLInputFactory;
+
 /** The controller that handles file requests. */
 public class PlatformFileInfoController {
 
@@ -52,7 +55,15 @@ public void uploadFile(Context ctx) throws IOException {
     // validate xml config
     if (name.toLowerCase().endsWith(".xml")) {
       try {
-        Configuration configuration = new Configuration();
+        // Explicitly disable external entity processing to prevent XXE attacks,
+        // regardless of the underlying XML parser implementation on the classpath.
+        XMLInputFactory xif = XMLInputFactory.newInstance();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        xif.setProperty(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        xif.createXMLStreamReader(new ByteArrayInputStream(bytes)).close();
+
+        Configuration configuration = new Configuration(false);
         configuration.addResource(new ByteArrayInputStream(bytes));
         configuration.setDeprecatedProperties();
       } catch (Exception e) {