In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, the correction wasn't sufficient. A security fix release fully addressing this issue is in preparation and will be released as soon as possible. Once the release is available, all Struts 2 users are strongly recommended to update their installations. * Until the release is available, all Struts 2 users are strongly recommended to apply the mitigation described [1] * Please follow the Apache Struts announcement channels [2][3][4][5] to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours. Please prepare for upgrading all Struts 2 based production systems to the new release version once available. - The Apache Struts Team. [1] http://struts.apache.org/announce.html#a20140424 [2] http://struts.apache.org/mail.html [3] http://struts.apache.org/announce.html [4] https://plus.google.com/+ApacheStruts/posts [5] https://twitter.com/TheApacheStruts -- René Gielen http://twitter.com/rgielen