In Apache libbatik-java 1.x before 1.10, when deserializing subclass of`AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class.Fix was to check the class type before calling newInstance in deserialization.