...
Replacing the function table gives the attacker access to the XPathContext used to evaluate XPath expression. Static expressions. The XPathContext is used to set the reference node for evaluating XPath expressions. Manipulating this can cause unexpected behavior and XML fields can be modified in inconsistent ways. Also static variables are global across a Java runtime environment. They can be used as a communication channel between different application domains (e.g. by code loaded into different class loaders) .
...