Zendframework and several Zendservices are vulnerable to XML External Entity (XXE) attacks. The libxml_disable_entity_loader
is not correctly shared between threads then PHP-FPM
is used, allowing attackers to conduct XXE attacks. This is as a result of an incomplete fix for CVE-2012-5657.