pikepdf before 2.10.0 allows an XXE attack against PDF XMP metadata parsing.
bugs.gentoo.org/779475
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46849
github.com/pikepdf/pikepdf/blob/v2.10.0/docs/release_notes.rst#v2100
launchpad.net/bugs/cve/CVE-2021-46849
nvd.nist.gov/vuln/detail/CVE-2021-46849
security-tracker.debian.org/tracker/CVE-2021-46849