An XXE vulnerability exists in Karaf's deploy directory. This is mitigated by DDF's documented hardening steps. See DDF Github Issue 4351 for more details.
The below issues have been reported as affecting this version. Refer to the fix version column for resolution. Report issues here.