Launchpad.net

CVE 2016-3690

The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.

See the CVE page on Mitre.org for more details.