This is a little bit late to the game, but remotely exploitable vulnerabilities aren’t the kind of security I’ve had to worry about much in the past six months. That said, back in August an advisory for a lot of common XML parsers was published by CERT:
CERT-FI Advisory on XML libraries
CVE database entry
Freenet has claimed that this is a potential remote execution vulnerability in Java with sploits in the wild, but the CERT advisory and the various bugs submitted to individual projects seem to think it’s only a DoS bug, and that seems a lot more likely in my judgement.