From the screenshot, the following key information about the vulnerability can be obtained: ### Vulnerability Description - **Vulnerability Type**: Deserialization vulnerability - **Affected Class**: `cn.hutool.core.util.XmlUtil#readObjectFromXml` - **Specific Issue**: When using `XmlUtil.readObjectFromXml` to parse untrusted XML strings, there is a risk of Remote Code Execution (RCE). ### Detailed Information - **Function Calls**: - `public static T readObjectFromXml(String xmlStr)` - `public static T readObjectFromXml(InputSource source)` - **Code Example**: ```java xmldec = new XMLDecoder(source); result = xmldec.readObject(); ``` - **Root Cause**: Using `XMLDecoder` to parse XML strings may execute maliciously crafted XML content, leading to Remote Code Execution. ### Attack Example - **Malicious XML Example**: ```xml calc ``` ### Additional Information - **Discovery Date**: January 13, 2023 - **Status**: Closed, marked as completed - **Tags**: question - **Related Link**: [Issue on another platform](https://gitee.com/dromara/hutool/issues/I6AEX2)