Liaogui Zhong discovered two security issues in XStream, a Java library to serialise objects to XML and back again, which could result in the deletion of files or server-side request forgery when unmarshalling.