Check out this excellent writeup on an Apache OFBiz deserialization vuln from my coworker Dusan (I just reviewed the writeup):

https://www.zerodayinitiative.com/blog/2020/9/14/cve-2020-9496-rce-in-apache-ofbiz-xmlrpc-via-deserialization-of-untrusted-data

This is essentially what one of the core parts of our N-day research reports looks like.