CiviCRM includes the PHPWord library. PHPWord v0.14 is vulnerable to an XML external entity attack - which is resolved in v0.15.
CiviCRM versions 5.11.x and earlier
CiviCRM version 5.12.0 and 5.7.6
Upgrade to the latest version of CiviCRM
Jianingwang of Tencent‘s XuanWuLab for reporting the issue
Seamus Lee of Australian Greens for fixing the issue