Apache says Struts 2 security bug wasn't fully fixed in 2020

But this time the patch should do the trick
Apache has taken another shot at fixing a critical remote code execution vulnerability in its Struts 2 framework for Java applications – because the first patch, issued in 2020, didn't fully do the trick.…