models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.
github.com/pikepdf/pikepdf/commit/3f38f73218e5e782fe411ccbb3b44a793c0b343a
lists.fedoraproject.org/archives/list/[email protected]/message/36P4HTLBJPO524WMQWW57N3QRF4RFSJG
lists.fedoraproject.org/archives/list/[email protected]/message/3QFLBBYGEDNXJ7FS6PIWTVI4T4BUPGEQ
nvd.nist.gov/vuln/detail/CVE-2021-29421