pikepdf is vulnerable to XML External Entities (XXE). The vulnerability exists through parsing XMP metadata entries when parsing BytesIO(xml)
.
github.com/advisories/GHSA-ccgm-3xw4-h5p8
github.com/pikepdf/pikepdf/commit/3f38f73218e5e782fe411ccbb3b44a793c0b343a
lists.fedoraproject.org/archives/list/[email protected]/message/36P4HTLBJPO524WMQWW57N3QRF4RFSJG/
lists.fedoraproject.org/archives/list/[email protected]/message/3QFLBBYGEDNXJ7FS6PIWTVI4T4BUPGEQ/