Code injection is caused as a result of malicious user input being injected into dynamically constructed code. The javax.script package provides utilities to use various scripting engines from Java code. If misused, an attacker can execute arbitrary code on the target system. This class of vulnerabilities is These kinds of errors are dangerous because any violations of secure coding practices in dynamically generated code cannot be statically determined.
...
This noncompliant code example uses dynamically obtained incorporates untrusted user input in a javascript statement, responsible for printing the input. A hostile user An attacker may enter specially crafted input parameters arguments in an attempt to inject malicious javascript. The firstName string contains javascript code that can create or overwrite an existing file on the system running the vulnerable Java code.
...