Thanks a bunch
The critical security vulnerability was discovered by researchers at Semmle, who today went public with their find. [...] Developers are advised to patch Apache Struts to version 2.5.13, which was released today.
Very obliging of Semmle to give Apache time to issue a fix. Somewhat less obliging is not giving users any time to test and deploy the fix.