Maven · repo1.maven.org

net.openhft:chronicle-core

Java Dynamic Classload: URLClassLoader / defineClass — runs attacker-provided bytecode.

Why PkgRadar flagged 2026.5

Severity	Signal	Evidence
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · net/openhft/chronicle/core/util/CompilerUtils.java
high	Java Static Init Side Effect	Static-initializer block contains process/network/reflection — runs on first class load. · net/openhft/chronicle/core/internal/CpuClass.java
high	Java Static Init Side Effect	Static-initializer block contains process/network/reflection — runs on first class load. · net/openhft/chronicle/core/Jvm.java
high	Java Static Init Side Effect	Static-initializer block contains process/network/reflection — runs on first class load. · net/openhft/chronicle/core/OS.java
medium	Java Process Spawn	Runtime.exec / ProcessBuilder — process spawning. · net/openhft/chronicle/core/internal/CpuClass.java
medium	Java Process Spawn	Runtime.exec / ProcessBuilder — process spawning. · net/openhft/chronicle/core/Jvm.java
medium	Java Process Spawn	Runtime.exec / ProcessBuilder — process spawning. · net/openhft/chronicle/core/OS.java
medium	Remote Payload	matched "Wget " · net/openhft/chronicle/core/io/Wget.java

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2026.5`	Review	45	2026-06-11

Block this in CI

PkgRadar gates net.openhft:chronicle-core (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven net.openhft:[email protected]