Maven · repo1.maven.org

org.htmlunit:htmlunit-core-js

Java Dynamic Classload: URLClassLoader / defineClass — runs attacker-provided bytecode.

Why PkgRadar flagged 5.2.0

Severity	Signal	Evidence
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/annotations/JSConstructor.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/annotations/JSFunction.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/annotations/JSGetter.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/annotations/JSSetter.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/annotations/JSStaticFunction.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/DefiningClassLoader.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/GeneratedClassLoader.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/JavaAdapter.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/LambdaConstructor.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/PolicySecurityController.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/ScriptableObject.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · org/htmlunit/corejs/javascript/SecureCaller.java

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`5.2.0`	Review	25	2026-06-20

Block this in CI

PkgRadar gates org.htmlunit:htmlunit-core-js (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven org.htmlunit:[email protected]

Start free — 25 scans / mo View full evidence