unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.
"https://github.com/pypa/advisory-database/blob/main/vulns/unstructured/PYSEC-2026-1993.yaml"