In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a Remote Code Execution.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12611
cwiki.apache.org/confluence/display/WW/S2-053