The Struts 1 plugin in Apache Struts 2 < 2.3.33 might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage class.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9791
cwiki.apache.org/confluence/display/WW/S2-048