See also bug 598764 regarding the problem in dev-perl/XML-Twig which caused external entities to always expand which can be a problem in case the input XML cannot be trusted, i.e. an entity like C<< <!ENTITY xxe PUBLIC "bar" "/etc/passwd"> >> could make the password field available in the document. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected.
As hint: Grep the source code for "Twig->new". If you see that the code will set the "no_xxe" option we can be sure that the author is aware of the problem and is handling entities on purpose. If you cannot find the new option check if the code will get in touch with XML input which cannot be trusted or better bring this to upstream's attention.
(In reply to Thomas Deutschmann from comment #1) > As hint: > > Grep the source code for "Twig->new". Also grep for: Twig::new And new XML::Twig Because of course there's 3 different syntax for that. ( And the last of these was even recommended once upon a time https://metacpan.org/pod/release/MIROD/XML-Twig-2.02/Twig.pm#SYNOPSIS )