Maven · repo1.maven.org

io.github.hzy800123:birt-runtime

Java Jndi Lookup: JNDI / Naming.lookup — remote class-loading primitive (Log4Shell family).

Why PkgRadar flagged 4.21.5

Severity	Signal	Evidence
medium	Java Jndi Lookup	JNDI / Naming.lookup — remote class-loading primitive (Log4Shell family). · data/org.eclipse.birt.report.data.oda.jdbc/src/org/eclipse/birt/report/data/oda/jdbc/JndiDataSource.java
medium	Java Unsafe Deserialize	ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · UI/org.eclipse.birt.report.debug.core/src/org/eclipse/birt/report/debug/internal/core/vm/ReportVMClient.java
medium	Java Unsafe Deserialize	ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · UI/org.eclipse.birt.report.debug.core/src/org/eclipse/birt/report/debug/internal/core/vm/ReportVMServer.java
medium	Java Base64 Combo	Base64.decode combined with network / process — common in API clients, but worth review. · UI/org.eclipse.birt.report.designer.core/src/org/eclipse/birt/report/designer/util/ImageManager.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · UI/org.eclipse.birt.report.designer.ui/src/org/eclipse/birt/report/designer/data/ui/util/DataSetProvider.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · build/birt-packages/birt-runtime-test/src/test/java/org/eclipse/birt/sdk/BaseTestTemplate.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · chart/org.eclipse.birt.chart.engine/src/org/eclipse/birt/chart/script/AbstractScriptHandler.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · chart/org.eclipse.birt.chart.engine/src/org/eclipse/birt/chart/util/SecurityUtil.java
medium	Java Unsafe Deserialize	ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · chart/org.eclipse.birt.chart.engine/src/org/eclipse/birt/chart/util/SecurityUtil.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · chart/org.eclipse.birt.chart.reportitem/src/org/eclipse/birt/chart/reportitem/BIRTScriptClassLoader.java
medium	Java Unsafe Deserialize	ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · chart/org.eclipse.birt.chart.reportitem/src/org/eclipse/birt/chart/reportitem/ChartReportItemPresentationBase.java
medium	Java Base64 Combo	Base64.decode combined with network / process — common in API clients, but worth review. · chart/org.eclipse.birt.chart.ui.extension/src/org/eclipse/birt/chart/ui/swt/composites/FillCanvas.java

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`4.21.5`	Review	267	2026-06-16
`4.21.0`	Low risk	0	2026-06-16

Block this in CI

PkgRadar gates io.github.hzy800123:birt-runtime (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven io.github.hzy800123:[email protected]

Start free — 25 scans / mo View full evidence