{"id":"CVE-2021-29421","details":"models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.","aliases":["GHSA-ccgm-3xw4-h5p8","PYSEC-2021-34"],"modified":"2026-05-16T04:03:03.863671765Z","published":"2021-04-01T20:15:12.453Z","related":["openSUSE-SU-2024:11250-1","openSUSE-SU-2024:13864-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"fedoraproject:fedora","extracted_events":[{"last_affected":"32"},{"last_affected":"33"}]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36P4HTLBJPO524WMQWW57N3QRF4RFSJG/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QFLBBYGEDNXJ7FS6PIWTVI4T4BUPGEQ/"},{"type":"ADVISORY","url":"https://github.com/pikepdf/pikepdf/blob/v2.10.0/docs/release_notes.rst#v2100"},{"type":"FIX","url":"https://github.com/pikepdf/pikepdf/commit/3f38f73218e5e782fe411ccbb3b44a793c0b343a"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}