An uncertain security problem

[6right]

    By default in all versions of pf4j, when the plugin file: jar package or zip package are controlled by the user, the user can construct malicious files to execute arbitrary code in the web application through the pf4j declaration cycle function. I'm not sure whether pf4j should control this, so I'm here to ask you whether this is a security vulnerability

    I can't find other places to ask about security issues, so I can only send it here. I hope you forgive me