libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. CREATE(Triage):(User=admin) CVE-2023-52426 (https://nvd.nist.gov/vuln/detail/CVE-2023-52426)