VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Jun 7, 2016· Updated May 6, 2026

CVE-2016-3087

CVE-2016-3087

Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.struts:struts2-coreMaven
>= 2.3.19, < 2.3.20.32.3.20.3
org.apache.struts:struts2-coreMaven
>= 2.3.21, < 2.3.24.32.3.24.3
org.apache.struts:struts2-coreMaven
>= 2.3.25, < 2.3.28.12.3.28.1

Patches

1
6bd694b79804

Drops defining location via request

https://github.com/apache/strutsLukasz LenartApr 18, 2016via ghsa
commit
1 file changed · +1 6
  • core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java+1 6 modified
    @@ -404,12 +404,7 @@ protected URIResolver getURIResolver() {
                 ServletActionContext.getServletContext());
     }
 
-    protected Templates getTemplates(String path) throws TransformerException, IOException {
-        String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
-
-        if (pathFromRequest != null)
-            path = pathFromRequest;
-
+    protected Templates getTemplates(final String path) throws TransformerException, IOException {
         if (path == null)
             throw new TransformerException("Stylesheet path is null");

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.