At least we are now in the same company as Postgres who also has this vulnerability in 2012 🥲
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489
#Pleroma Security Release 2.5.4
Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitrary files from the server's filesystem.
https://pleroma.social/announcements/2023/08/05/pleroma-security-release-2.5.4/
Discussion
nostr:npub1yck44z5zqxmwpqzqs75ay6ffjdw843ng9p6mz0lzfff3fgz2djlsngujmw >libxml2
Uuuh… let's say I'm glad I don't have untrusted/remote XML in my other software.