ReportLab through 3.5.26 allows remote code execution because of toColor in colors.py, as demonstrated by a crafted XML document with "CVE-2019-17626