The Spreadsheet::ParseXLSX package prior to 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig.
tozt spreadsheet\\ \\