diff --git a/icu4j/tools/build/src/main/java/com/ibm/icu/dev/tool/coverage/JacocoReportCheck.java b/icu4j/tools/build/src/main/java/com/ibm/icu/dev/tool/coverage/JacocoReportCheck.java
index 1c9eb9d70e2..20f546314b7 100644
--- a/icu4j/tools/build/src/main/java/com/ibm/icu/dev/tool/coverage/JacocoReportCheck.java
+++ b/icu4j/tools/build/src/main/java/com/ibm/icu/dev/tool/coverage/JacocoReportCheck.java
@@ -23,6 +23,7 @@ import java.util.TreeSet;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.XMLConstants;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -142,7 +143,16 @@ public class JacocoReportCheck {
     private static Map<String, ReportEntry> parseReport(File reportXmlFile) {
         try {
             Map<String, ReportEntry> entries = new TreeMap<String, ReportEntry>();
-            DocumentBuilder docBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            // Securely configure DocumentBuilderFactory
+            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            docFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            docFactory.setNamespaceAware(true);
+
+            DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             docBuilder.setEntityResolver(new EntityResolver() {
                 // Ignores JaCoCo report DTD
                 public InputSource resolveEntity(String publicId, String systemId) {
diff --git a/icu4j/tools/misc/src/main/java/com/ibm/icu/dev/tool/localeconverter/XLIFF2ICUConverter.java b/icu4j/tools/misc/src/main/java/com/ibm/icu/dev/tool/localeconverter/XLIFF2ICUConverter.java
index aece3d7d6e4..94a0a730dad 100644
--- a/icu4j/tools/misc/src/main/java/com/ibm/icu/dev/tool/localeconverter/XLIFF2ICUConverter.java
+++ b/icu4j/tools/misc/src/main/java/com/ibm/icu/dev/tool/localeconverter/XLIFF2ICUConverter.java
@@ -20,6 +20,7 @@ import java.util.Date;
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
 
@@ -407,7 +408,22 @@ public final class XLIFF2ICUConverter {
 
         String urls = filenameToURL(xmlfileName);
         DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance();
-        dfactory.setNamespaceAware(true);
+
+        try {
+            // Set secure processing features to avoid XXE attacks
+            dfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dfactory.setNamespaceAware(true);
+
+            // Disable access to external DTDs and entities to mitigate XXE attacks
+            dfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            dfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            dfactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        } catch (ParserConfigurationException e) {
+            System.err.println("ERROR: Parser configuration error: " + e.getMessage());
+            System.exit(-1);
+        }
+
         Document doc = null;
 
         if (xliff10) {