TCPDF converts HTML content to PDF. The library had vulnerabilities, including cross-site scripting and remote code execution. The library has now been upgraded to a fixed version.
CiviCRM versions 5.13.0 and earlier
CiviCRM version 5.13.4 and 5.7.6
Upgrade to the latest version of CiviCRM
Jon Goldberg of Megaphone Technology Consulting for reporting the issue
Seamus Lee of Australian Greens for fixing the issue