I just noticed that the following issue https://jira.qos.ch/browse/LOGBACK-1465 (xxe vulnerability in Logback) has been fixed for 1.3.0-alpha7 . 

As this issue has been flagged by our vulnerability scanner, I was wondering if you plan to backport the fix in the branch 1.2.x and release a 1.2.6 ? 

Regards,

Laurent