The vulnerability stems from SOAPpy's use of the xml.sax parser with default settings that resolve external entities. The SOAPParser.parse method is responsible for parsing incoming SOAP requests, and since it does not explicitly disable external entity resolution (e.g., via setFeature(SAX_FEATURES['external_ges'], False)), it permits XXE attacks. The reproduction steps and CVE details confirm that unpatched SOAPpy versions process untrusted XML input with insecure parser configurations.