which platforms? Really I am curious. Checking our XML in processors and there is nothing there that could lead to execution of what is within the XML.
Are there examples somewhere I can see to understand how this is even possible?
There have been many vulnerabilities in YAML parsers for ruby because they let you encode actual objects / code.
JSON, despite being "Javascript object notation", can't actually encode full code/objects. You only have a few datatypes: (off the top of my head) bools, strings, numbers, arrays, key/value dicts. None of these are dangerous or difficult to parse.
What you might be thinking about is the recent Ruby on Rails vulnerability which was caused by transforming JSON into YAML and then parsing the YAML. It would be more accurate to say the YAML parser was vulnerable.
Your claim that "JSON parsers are notoriously vulnerable" implies that this is a common occurrence as well, not just a single incidence.
I personally don't see it as likely because JSON has pretty much no features compared to xml; the surface area is tiny.
Agreeing with the other statement: a JSON deserializer should never be executing arbitrary code as part of a feature of the deserializer. YAML, Python pickle, PHP serialization, etc. all allow serialization of arbitrary class instances by default, but JSON only allows simple data types.
Are there examples somewhere I can see to understand how this is even possible?