SonarQube findings
I took the time to run poppler through the static code analytics tool at sonarqube https://sonarcloud.io/dashboard?id=noppnopp_poppler
The listed vulnerabilities are mostly things like use of strcpy, which is deemed unsafe.
Some of these findings should get a closer look to make sure there is nothing exploitable in it.