Use Fortify to scan POI 3.15 source code files, you will find a critical security issue for hardcoded password. In method org.apache.poi.poifs.crypt.CryptoFunctions.hashPassword(String, HashAlgorithm, byte[], int, boolean): // If no password was given, use the default if (password == null) { password = Decryptor.DEFAULT_PASSWORD; } Passwords should never be hardcoded and should generally be obfuscated and managed in an external source. Storing passwords in plaintext anywhere on the system allows anyone with sufficient permissions to read and potentially misuse the password.
This is the default password for all Microsoft Office files, which can be found in the official Microsoft documentation, or in about 5 seconds with a google search. As such, this is not a security issue