stanford-corenlp is vulnerable to XML external entity (XXE) injection attacks. The vulnerability exists because the readDocument() function in ‘DomReader.java’ doesn’t disable access to external entities by default, allowing a malicious attacker to provide a crafted XML file and expose contents of local files to the remote server.