Regarding CVE-2023-50164, the Apache Struts vulnerability that has a lot of people excited - I've seen some scanning for it in my honeypots, but they're scanning using the path in a Github PoC that isn't real.
I don't see any evidence of in the wild exploitation in a way that would actually work.
For a webapp to be exploitable it would need a tailored exploit and a specific set of circumstances to be vulnerable.