github
diff --git a/‎…/change-notes/2026-04-16-woodstox-xxe.md‎ ‎…/change-notes/2026-04-16-woodstox-xxe.md‎java/ql/src/change-notes/2026-04-16-woodstox-xxe.md renamed to java/ql/lib/change-notes/2026-04-16-woodstox-xxe.md b/‎…/change-notes/2026-04-16-woodstox-xxe.md‎ ‎…/change-notes/2026-04-16-woodstox-xxe.md‎java/ql/src/change-notes/2026-04-16-woodstox-xxe.md renamed to java/ql/lib/change-notes/2026-04-16-woodstox-xxe.md
diff --git a/‎java/ql/lib/semmle/code/java/frameworks/woodstox/WoodstoxXml.qll‎
Lines changed: 0 additions & 93 deletions b/‎java/ql/lib/semmle/code/java/frameworks/woodstox/WoodstoxXml.qll‎
Lines changed: 0 additions & 93 deletions
diff --git a/‎java/ql/lib/semmle/code/java/security/XmlParsers.qll‎
Lines changed: 27 additions & 5 deletions b/‎java/ql/lib/semmle/code/java/security/XmlParsers.qll‎
Lines changed: 27 additions & 5 deletions
@@ -12,7 +12,6 @@ private module Frameworks {
   private import semmle.code.java.frameworks.javase.Beans
   private import semmle.code.java.frameworks.mdht.MdhtXml
   private import semmle.code.java.frameworks.rundeck.RundeckXml
-  private import semmle.code.java.frameworks.woodstox.WoodstoxXml
 }
 
 /**
@@ -180,12 +179,29 @@ class XmlInputFactory extends RefType {
   XmlInputFactory() { this.hasQualifiedName(javaxOrJakarta() + ".xml.stream", "XMLInputFactory") }
 }
 
-/** A call to `XMLInputFactory.createXMLStreamReader`. */
+/**
+ * The class `com.ctc.wstx.stax.WstxInputFactory` or its abstract supertype
+ * `org.codehaus.stax2.XMLInputFactory2` from the Woodstox StAX library.
+ */
+class WstxInputFactory extends RefType {
+  WstxInputFactory() {
+    this.hasQualifiedName("com.ctc.wstx.stax", "WstxInputFactory") or
+    this.hasQualifiedName("org.codehaus.stax2", "XMLInputFactory2")
+  }
+}
+
+/**
+ * A call to `XMLInputFactory.createXMLStreamReader` or the equivalent method on the
+ * Woodstox `WstxInputFactory`.
+ */
 class XmlInputFactoryStreamReader extends XmlParserCall {
   XmlInputFactoryStreamReader() {
     exists(Method m |
       this.getMethod() = m and
-      m.getDeclaringType() instanceof XmlInputFactory and
+      (
+        m.getDeclaringType() instanceof XmlInputFactory or
+        m.getDeclaringType() instanceof WstxInputFactory
+      ) and
       m.hasName("createXMLStreamReader")
     )
   }
@@ -213,7 +229,10 @@ class XmlInputFactoryEventReader extends XmlParserCall {
   XmlInputFactoryEventReader() {
     exists(Method m |
       this.getMethod() = m and
-      m.getDeclaringType() instanceof XmlInputFactory and
+      (
+        m.getDeclaringType() instanceof XmlInputFactory or
+        m.getDeclaringType() instanceof WstxInputFactory
+      ) and
       m.hasName("createXMLEventReader")
     )
   }
@@ -236,7 +255,10 @@ class XmlInputFactoryConfig extends ParserConfig {
   XmlInputFactoryConfig() {
     exists(Method m |
       m = this.getMethod() and
-      m.getDeclaringType() instanceof XmlInputFactory and
+      (
+        m.getDeclaringType() instanceof XmlInputFactory or
+        m.getDeclaringType() instanceof WstxInputFactory
+      ) and
       m.hasName("setProperty")
     )
   }