Improper Restriction of XML External Entity Reference
The Zend_Xml_Security::scan in ZendXml and Zend Framework, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.