Thanks for your email and raised concern, Jeremy.
Full accessibility in Smuxi has been a high priority for me for a long time.
I looked into the vulnerability of the log4net library that Smuxi depends on. my assessment doesn't classify a XXE for local configuration file as release critical. An attacker would need to have write access to the configuration file to exploit it. It that point a XXE is pointless, he can just execute curl, wget, perl, python or write something to ~/.bashrc directly.
Having identified the offending code the fix is a one line change on the other hand. I plan to upload a fixed version of log4net in the coming days.
To bump the version to the latest one of log4net so late in the release cycle I don't see as a good option. There are 2 other reverse dependencies that could break where I am not upstream of.
Best regards,
Mirco Bauer
Smuxi and Debian developer