There's a critical remote commands execution vulnerability in XWork(used by Struts2), which fixed in 2.2.0, which isn't released yet but can be downloaded here: http://people.apache.org/builds/struts/2.2.0/
More details about this vulnerability can be found here: http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html Meder
