python-docx prior to 0.8.6 allows context-dependent malicious users to conduct XML External Entity (XXE) attacks via a crafted document.
python-openxml project python-docx