So Java’s Swing UI Toolkit in some cases will try to parse any strings that start with a < as HTML, and dangerously so as its handling of <object> tags will attempt to initialize a class with the name from the classid attribute (must inherit from java.awt.Component), and it will attempt to set any <param> tags through their setter functions.

The JSVGCanvas class could be abused to get JavaScript execution through an embeded <script> tag from there the script’s xlink:href parameter could be used to provide a jar file to be executed.

An attacker with control of a string presented in a Swing field could get code execution, so from a Cobalt Strike beacon running on the attacker’s machine they could potentially modify it’s memory or run an application with a malicious string as its process name. There are other avenues that could be used to exploit the issue, those are the two examples given though.