Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.
GHSA-24hm-wm2h-h8w7: Peppol-py is vulnerable to XXE attacks due to Saxon configuration
Peppol-py before 1.1.1 is vulnerable to XXE attacks due to Saxon configuration, allowing remote file content exposure during XML invoice validation.