libexpat through 2.6.1 contains an XML Entity Expansion flaw when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).