Reportlab up to and including v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.
"https://github.com/pypa/advisory-database/blob/main/vulns/reportlab/PYSEC-2026-1871.yaml"