Maven · repo1.maven.org
org.flywaydb:flyway-core
Java Unsafe Deserialize: ObjectInputStream / XStream.fromXML — untrusted deserialization sink.
Why PkgRadar flagged 12.9.0
| Severity | Signal | Evidence |
|---|---|---|
| medium | Java Unsafe Deserialize | ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · org/flywaydb/core/internal/license/EncryptionUtils.java |
| medium | Java Dynamic Classload | URLClassLoader / defineClass — runs attacker-provided bytecode. · org/flywaydb/core/internal/util/ClassUtils.java |
| medium | Java Process Spawn | Runtime.exec / ProcessBuilder — process spawning. · org/flywaydb/core/internal/util/ExternalProcessRunner.java |
| medium | Java Process Spawn | Runtime.exec / ProcessBuilder — process spawning. · org/flywaydb/core/internal/resolver/script/ScriptMigrationExecutor.java |
| medium | Remote Payload | matched "cUrl " · org/flywaydb/core/internal/jdbc/JdbcConnectionFactory.java |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
12.9.0 | Review | 26 | 2026-06-18 |
Block this in CI
pkgradar gate --ecosystem maven org.flywaydb:[email protected]