diff --git a/java/timebase/server/src/main/java/com/epam/deltix/qsrv/hf/tickdb/http/TimebaseServlet.java b/java/timebase/server/src/main/java/com/epam/deltix/qsrv/hf/tickdb/http/TimebaseServlet.java
index 20ea36cc..a065fbd8 100644
--- a/java/timebase/server/src/main/java/com/epam/deltix/qsrv/hf/tickdb/http/TimebaseServlet.java
+++ b/java/timebase/server/src/main/java/com/epam/deltix/qsrv/hf/tickdb/http/TimebaseServlet.java
@@ -49,6 +49,9 @@
 import static com.epam.deltix.qsrv.hf.tickdb.http.HTTPProtocol.marshall;
 import static com.epam.deltix.qsrv.hf.tickdb.http.HTTPProtocol.LOGGER;
 
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
 /**
  *
  */
@@ -99,7 +102,16 @@ protected void service(HttpServletRequest req, HttpServletResponse resp) throws
                             LOGGER.fine("request: " + xml);
                         }
 
-                        body = um.unmarshal(new StringReader(xml));
+                        XMLInputFactory xif = XMLInputFactory.newFactory();
+                        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+                        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+                        XMLStreamReader xsr = null;
+                        try {
+                            xsr = xif.createXMLStreamReader(new StringReader(xml));
+                        } catch(XMLStreamException e) {
+                            throw new RuntimeException(e);
+                        }
+                        body = um.unmarshal(xsr);
                     } catch (InterruptedException e) {
                         throw new RuntimeException(e);
                     }