GHSA-p5wc-9w9r-m232: Ultimate Sitemap Parser (USP): XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser

ultimate-sitemap-parser version 1.8.0 and earlier parse attacker-controlled XML content using Python’s xml.parsers.expat without any restriction on DTD declarations or recursive entity references. An attacker who can serve a malicious sitemap can trigger exponential XML entity expansion (the “Billion Laughs” attack), causing unbounded CPU and memory consumption in the victim process. No authentication, user interaction, or special configuration is required — the vulnerability is exploitable by default through any public-facing use of sitemap_tree_for_homepage() or sitemap_from_str().