diff --git a/jme3-plugins/src/xml/java/com/jme3/export/xml/XMLExporter.java b/jme3-plugins/src/xml/java/com/jme3/export/xml/XMLExporter.java
index bc4ef918b0..2541e2494a 100644
--- a/jme3-plugins/src/xml/java/com/jme3/export/xml/XMLExporter.java
+++ b/jme3-plugins/src/xml/java/com/jme3/export/xml/XMLExporter.java
@@ -96,6 +96,9 @@ public void save(Savable object, OutputStream outputStream) throws IOException {
         try {
             TransformerFactory tfFactory = TransformerFactory.newInstance();
             tfFactory.setAttribute("indent-number", indentSpaces);
+            // Disable external DTD and stylesheet access to prevent XXE attacks
+            tfFactory.setAttribute("accessExternalDTD", "");
+            tfFactory.setAttribute("accessExternalStylesheet", "");
 
             Transformer transformer = tfFactory.newTransformer();
             transformer.setOutputProperty(OutputKeys.STANDALONE, "yes");