Zeep: Server-Side Request Forgery (SSRF)
When parsing a WSDL or XSD document, python-zeep follows transitive references — xsd:import, xsd:include, wsdl:import, and lxml entity/DTD resolution — and will fetch http/https URLs found in those references. The Settings.forbid_external option, intended to disable this transitive remote fetching, was defined but not wired to any logic from version 4.0.0 through 4.3.2 (a regression introduced when zeep moved off defusedxml in 4.0). As a result, setting forbid_external=True had no effect, …