Apache Tapestry uses a special input field "t:formdata" to store data for Form component. The data is a Java serialized object and it's signed for protection against data tampering. It's very important that an attacker doesn't know the value of the secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.
Change the value of the secret "HMAC_PASSPHRASE" to a long random string.
Serialized object data stored on the client should be HMAC signed and validated