Look into deserialization vulnerabilities

[diogocp]

Deserialization of untrusted data in Java can, in some circumstances, be exploited by an attacker to execute arbitrary code. This is Really Bad™.

https://www.owasp.org/index.php/Deserialization_of_untrusted_data
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet