diff --git a/.docker/images/php/01-govcms.ini b/.docker/images/php/01-govcms.ini
index 4756ad099..bd2df1a34 100644
--- a/.docker/images/php/01-govcms.ini
+++ b/.docker/images/php/01-govcms.ini
@@ -4,3 +4,7 @@ session.gc_maxlifetime=3600
 session.cookie_lifetime=0
 upload_max_filesize=256M
 post_max_size=256M
+
+# Prevent remote XML entities from being processed.
+# https://nvd.nist.gov/vuln/detail/CVE-2025-1219
+libxml.disable_entity_loader = 1
\ No newline at end of file