The Java class loading APIs can lead to remote code execution vulnerabilities if not used carefully. Interpreting potentially untrusted input as bytecode can give an attacker control of the application.
Suppress false positives by adding the suppression annotation @SuppressWarnings("BanClassLoader") to the enclosing element.