Code injection results from can occur when untrusted input being is injected into dynamically constructed code. The javax.script package both provides an API of interfaces and classes that define Java Scripting Engines and also defines a framework for their the use of those interfaces and classes in Java code. An obvious example is the use of JavaScript from Java code. Misuse of the javax.script API permits an attacker to execute arbitrary code on the target system. Such errors are dangerous because violations of secure coding practices in dynamically generated code cannot be detected in advance through static analysis.
...
An attacker can enter a specially crafted argument in an attempt to inject malicious JavaScript. Here is an This example shows a malicious string ; it that contains JavaScript code that can create or overwrite an existing file on a Windows system running the vulnerable Java code.
...