The Java class loading APIs can lead to remote code execution vulnerabilities if not used carefully. Interpreting potentially untrusted input as bytecode can give an attacker control of the application.