Years-Old, Unpatched GWT Vuln Leaves Apps Open to Server-Side RCE

Although the unauthenticated Java deserialization flaw has been known since 2015, GWT apps remain vulnerable to malicious server-side code execution, new research says.