Apache Struts 2.x prior to 2.3.28 allows remote malicious users to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
Apache Struts 2x before 2328 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation ...