libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
This flaw only applies to applications compiled against libxml2 which use xsltCheckRead and xsltCheckWrite functions and/or allow users to load arbitrary URLs to be parsed via libxml2. In all other cases, applications are not vulnerable.