Improper Input Validation
Apache Struts 2.3.20.x before 18.104.22.168, 2.3.24.x before 22.214.171.124, and 2.3.28.x before 126.96.36.199, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.
CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.