It is possible for an attacker to control src attribute of an object tag and load data from external resources.

With a properly defined CSP policy, the browser would not load the resource.

Content Security Policy: object-src