CVE-2016-3690: PooledInvokerServlet is not secured, and deserializes data

Severity: Critical

CVSS Score: 9.8

The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.