During visualization with Squiggle or rasterization via the CLI tool, XML external entities defined in the DTD are dereferenced and the content of the target file is included in the output.
The impact of this vulnerability range form denial of service to file disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.
For some additional information about XXE attacks, please refer to http://cwe.mitre.org/data/definitions/827.html
How to reproduce:
$> rasterizer xxe.svg -d xxe.png