A newly-discovered vulnerability in a popular open-source framework could put major companies’ data at risk of theft or deletion, according to researchers who revealed the bug.

The vulnerability, first reported by ZDNet, affects versions of the Apache Struts REST plugin dating back to 2008. The plugin is used in many web applications, but hackers could take advantage of the vulnerability to gain access to a company’s server.

“This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin,” Bas van Schaik, a product manager for researchers from lgtm wrote in a post announcing the vulnerability. “Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework.”

Read more about this here.