CiviCRM versions 5.11.x and earlier
CiviCRM version 5.12.0 and 5.7.6
CiviCRM includes the PHPWord library. PHPWord v0.14 is vulnerable to an XML external entity attack - which is resolved in v0.15.
Upgrade to the latest version of CiviCRM
Jianingwang of Tencent‘s XuanWuLab for reporting the issue
Seamus Lee of Australian Greens for fixing the issue