Improper Restriction of XML External Entity Reference
pikepdf before 2.10.0 allows an XXE attack against PDF XMP metadata parsing.
Advisories for Pypi/Pikepdf package
2022
2021
Improper Restriction of XML External Entity Reference in pikepdf
models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.