XML external entity injections (XXE) are security vulnerabilities allowing attackers to interfere with the processing of XML data of an application. I'm not sure how reliable these security advisories on Calibre are but I think it is worth looking into and to evaluate whether or not this currently affects or could potentially affect Foliate in the future, and what kind of fixes or mitigation strategies there are.