...
This noncompliant code example returns an instance of the immediate caller's class loader to any invoker. A malicious invoker can consequently, obtain the associated class loader using standard APIs such as java.lang.Class.getClassLoader(). Once this is achieved, it is trivial to use Class.forname() to load the malicious class from attacker space or exploit a trusted method that calls Class.newInstance() on an arbitrarily supplied object. Class.newInstance() does not throw any security exception when the immediate caller's class loader is either the same or the delegation ancestor of its immediate callerthe object's class loader. (SEC05-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code)
...