All user input, for example entered through a form, is evaluated as an OGNL expression.
This leads to a remote exploit of possible malicious code execution of any kind, such as server shutdown or information theft.
Moreover, it can lead to a DoS problem:
On a form with:
if the user enters %
as the value then com/opensymphony/xwork2/util/TextParseUtil.translateVariables enters an infinite loop eating about 1GB of ram in one second on my server.