The REST plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 is vulnerable to deserialization without type filtering, enabling remote code execution when deserializing XML payloads.
https://nvd.nist.gov/vuln/detail/cve-2017-9805