CiviCRM versions 5.13.0 and earlier
CiviCRM version 5.13.4 and 5.7.6
TCPDF converts HTML content to PDF. The library had vulnerabilities, including cross-site scripting and remote code execution. The library has now been upgraded to a fixed version.
Upgrade to the latest version of CiviCRM
Jon Goldberg of Megaphone Technology Consulting for reporting the issue
Seamus Lee of Australian Greens for fixing the issue