PkgRadar

Maven · repo1.maven.org

com.yishuifengxiao.common:common-tool

Java Unsafe Deserialize: ObjectInputStream / XStream.fromXML — untrusted deserialization sink.

Why PkgRadar flagged 8.5.7

SeveritySignalEvidence
mediumJava Unsafe DeserializeObjectInputStream / XStream.fromXML — untrusted deserialization sink. · com/yishuifengxiao/common/tool/bean/BeanUtil.java
mediumJava Dynamic ClassloadURLClassLoader / defineClass — runs attacker-provided bytecode. · com/yishuifengxiao/common/tool/bean/CustomStringJavaCompiler.java

Scanned versions

VersionVerdictScoreScanned (UTC)
8.5.7Review202026-06-20

Block this in CI

PkgRadar gates com.yishuifengxiao.common:common-tool (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven com.yishuifengxiao.common:[email protected]
Start free — 25 scans / moView full evidence