Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource consumption) or execute arbitrary code via crafted serialized data.
https://tapestry.apache.org/release-notes-536.html
https://issues.apache.org/jira/browse/TAP5-2008
http://www.openwall.com/lists/oss-security/2019/08/23/5
http://seclists.org/fulldisclosure/2019/Aug/20