diff --git a/.classpath b/.classpath
index 367843e9c..e689084f2 100644
--- a/.classpath
+++ b/.classpath
@@ -18,7 +18,7 @@
 	<classpathentry kind="lib" path="lib/ant-1.10.1.jar"/>
 	<classpathentry kind="lib" path="lib/ant-launcher-1.10.1.jar"/>
 	<classpathentry kind="lib" path="lib/log4j-1.2.17.jar"/>
-	<classpathentry exported="true" kind="lib" path="ooxml-lib/xmlbeans-3.0.0.jar" sourcepath="ooxml-lib/xmlbeans-3.0.0.jar"/>
+	<classpathentry exported="true" kind="lib" path="ooxml-lib/xmlbeans-3.0.1.jar" sourcepath="ooxml-lib/xmlbeans-3.0.1.jar"/>
 	<classpathentry kind="lib" path="lib/hamcrest-core-1.3.jar"/>
 	<classpathentry kind="lib" path="lib/junit-4.12.jar"/>
 	<classpathentry kind="lib" path="ooxml-lib/curvesapi-1.05.jar"/>
diff --git a/build.gradle b/build.gradle
index ed7097ab6..1fa69cca9 100644
--- a/build.gradle
+++ b/build.gradle
@@ -26,10 +26,10 @@ buildscript {
 }
 
 repositories {
+    maven { url "https://repository.apache.org/content/repositories/staging" }
     mavenCentral()
 }
 
-
 // Only add the plugin for Sonar if enabled
 if (project.hasProperty('enableSonar')) {
     println 'Enabling Sonar support'
@@ -216,7 +216,7 @@ project('ooxml') {
     compileJava.dependsOn 'ant-compile-ooxml-xsds'
 
     dependencies {
-        compile 'org.apache.xmlbeans:xmlbeans:3.0.0'
+        compile 'org.apache.xmlbeans:xmlbeans:3.0.1'
         compile 'org.apache.commons:commons-collections4:4.2'
         compile 'org.apache.commons:commons-math3:3.6.1'
         compile 'org.apache.commons:commons-compress:1.18'
diff --git a/build.xml b/build.xml
index 18233c894..3bd8a951d 100644
--- a/build.xml
+++ b/build.xml
@@ -200,9 +200,9 @@ under the License.
     <property name="ooxml.curvesapi.jar" location="${ooxml.lib}/curvesapi-1.05.jar"/>
     <property name="ooxml.curvesapi.url"
               value="${repository.m2}/maven2/com/github/virtuald/curvesapi/1.05/curvesapi-1.05.jar"/>
-    <property name="ooxml.xmlbeans.jar" location="${ooxml.lib}/xmlbeans-3.0.0.jar"/>
+    <property name="ooxml.xmlbeans.jar" location="${ooxml.lib}/xmlbeans-3.0.1.jar"/>
     <property name="ooxml.xmlbeans.url"
-              value="https://repository.apache.org/content/repositories/releases/org/apache/xmlbeans/xmlbeans/3.0.0/xmlbeans-3.0.0.jar"/>
+              value="https://repository.apache.org/content/repositories/staging/org/apache/xmlbeans/xmlbeans/3.0.1/xmlbeans-3.0.1.jar"/>
     <property name="ooxml.commons-compress.jar" location="${main.lib}/commons-compress-1.18.jar"/>
     <property name="ooxml.commons-compress.url"
               value="${repository.m2}/maven2/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar"/>
@@ -637,7 +637,8 @@ under the License.
                 <include name="ooxml-security-1.0.jar"/>
                 <include name="curvesapi-1.03.jar"/>
                 <include name="curvesapi-1.04.jar"/>
-                <include name="xmlbeans-2.*.jar*"/>
+                <include name="xmlbeans-2.*.jar"/>
+                <include name="xmlbeans-3.0.0.jar"/>
             </fileset>
             <fileset dir="${compile.lib}">
                 <include name="xercesImpl-*.jar"/>
@@ -2025,7 +2026,7 @@ under the License.
                 <globmapper from="*" to="${zipdir}/lib/*"/>
             </mappedresources>
             <mappedresources cache="true">
-                <fileset dir="${ooxml.lib}" includes="xmlbeans-3.0.0.jar,curvesapi-*.jar"/>
+                <fileset dir="${ooxml.lib}" includes="xmlbeans-3.0.1.jar,curvesapi-*.jar"/>
                 <regexpmapper from="^(.*\.jar)$$" to="${zipdir}/ooxml-lib/\1"/>
             </mappedresources>
             <mappedresources cache="true">
diff --git a/maven/poi-ooxml-schemas.pom b/maven/poi-ooxml-schemas.pom
index 295eeab9b..bff66dfb6 100644
--- a/maven/poi-ooxml-schemas.pom
+++ b/maven/poi-ooxml-schemas.pom
@@ -62,7 +62,7 @@
     <dependency>
       <groupId>org.apache.xmlbeans</groupId>
       <artifactId>xmlbeans</artifactId>
-      <version>3.0.0</version>
+      <version>3.0.1</version>
     </dependency>
   </dependencies>
 </project>
diff --git a/sonar/pom.xml b/sonar/pom.xml
index c76d33163..e6f381cd8 100644
--- a/sonar/pom.xml
+++ b/sonar/pom.xml
@@ -72,7 +72,7 @@
         <sonar.scm.disabled>true</sonar.scm.disabled>
 
         <!-- define some of the third-party or plugin-versions globally to use the same in all modules -->
-        <xmlbeans.version>3.0.0</xmlbeans.version>
+        <xmlbeans.version>3.0.1</xmlbeans.version>
         <junit.version>4.12</junit.version>
         <xmlunit.version>2.5.1</xmlunit.version>
         <mockito.version>2.13.0</mockito.version>
diff --git a/src/ooxml/java/org/apache/poi/ooxml/POIXMLTypeLoader.java b/src/ooxml/java/org/apache/poi/ooxml/POIXMLTypeLoader.java
index c795cd0d6..4a7a2b1b7 100644
--- a/src/ooxml/java/org/apache/poi/ooxml/POIXMLTypeLoader.java
+++ b/src/ooxml/java/org/apache/poi/ooxml/POIXMLTypeLoader.java
@@ -40,6 +40,7 @@ public class POIXMLTypeLoader {
         DEFAULT_XML_OPTIONS.setUseDefaultNamespace();
         DEFAULT_XML_OPTIONS.setSaveAggressiveNamespaces();
         DEFAULT_XML_OPTIONS.setCharacterEncoding("UTF-8");
+        DEFAULT_XML_OPTIONS.setEntityExpansionLimit(1);
         // Piccolo is disabled for POI builts, i.e. JAXP is used for parsing
         // so only user code using XmlObject/XmlToken.Factory.parse
         // directly can bypass the entity check, which is probably unlikely (... and not within our responsibility :))