BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd.Referenceshttps://www.securitymetrics.com/blog/blogenginenet-xml-external-entity-attacks
