The version of Apache POI currently used by ModeShape (3.10-FINAL) contains a critical security vulnerability: http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt (and https://bugzilla.redhat.com/show_bug.cgi?id=1138140).

We should make sure we're using an updated version in which this issue has been fixed (see the release notes from above for details).