Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0230
cwiki.apache.org/confluence/display/WW/S2-059