Maven package
org.apache.struts.xwork/xwork-core
pkg:maven/org.apache.struts.xwork/xwork-core
Vulnerabilities (16)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68493 | — | >= 2.2.1 | — | Jan 11, 2026 | Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. | ||
| CVE-2016-4433 | Hig | 7.5 | >= 2.3.20, < 2.3.29 | 2.3.29 | Jul 4, 2016 | Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. | |
| CVE-2016-4430 | Hig | 8.8 | >= 2.3.20, < 2.3.29 | 2.3.29 | Jul 4, 2016 | Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. | |
| CVE-2015-1831 | — | >= 2.0.0, < 2.3.20.1 | 2.3.20.1 | Jul 16, 2015 | The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. | ||
| CVE-2014-0094 | — | >= 2.0.0, < 2.3.16.2 | 2.3.16.2 | Mar 11, 2014 | The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. | ||
| CVE-2013-2135 | — | >= 2.0.0, < 2.3.14.3 | 2.3.14.3 | Jul 16, 2013 | Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. | ||
| CVE-2013-2134 | — | >= 2.0.0, < 2.3.14.3 | 2.3.14.3 | Jul 16, 2013 | Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. | ||
| CVE-2013-2115 | Hig | 8.1 | >= 2.0.0, < 2.3.14.2 | 2.3.14.2 | Jul 10, 2013 | Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. | |
| CVE-2013-1966 | — | >= 2.0.0, < 2.3.14.2 | 2.3.14.2 | Jul 10, 2013 | Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. | ||
| CVE-2012-4387 | — | >= 2.0.0, < 2.3.4.1 | 2.3.4.1 | Sep 5, 2012 | Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. | ||
| CVE-2012-0838 | — | < 2.2.3.1 | 2.2.3.1 | Mar 2, 2012 | Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. | ||
| CVE-2012-0394 | — | < 2.3.18 | 2.3.18 | Jan 8, 2012 | The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself. | ||
| CVE-2012-0393 | — | < 2.2.3.1 | 2.2.3.1 | Jan 8, 2012 | The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. | ||
| CVE-2012-0392 | — | < 2.2.3.1 | 2.2.3.1 | Jan 8, 2012 | The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. | ||
| CVE-2012-0391 | Cri | 9.8 | KEV | < 2.2.3.1 | 2.2.3.1 | Jan 8, 2012 | The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. |
| CVE-2011-2088 | — | < 2.2.2 | 2.2.2 | May 13, 2011 | XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability th |
- CVE-2025-68493Jan 11, 2026affected >= 2.2.1
Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.
- affected >= 2.3.20, < 2.3.29fixed 2.3.29
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.
- affected >= 2.3.20, < 2.3.29fixed 2.3.29
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
- CVE-2015-1831Jul 16, 2015affected >= 2.0.0, < 2.3.20.1fixed 2.3.20.1
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.
- CVE-2014-0094Mar 11, 2014affected >= 2.0.0, < 2.3.16.2fixed 2.3.16.2
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
- CVE-2013-2135Jul 16, 2013affected >= 2.0.0, < 2.3.14.3fixed 2.3.14.3
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
- CVE-2013-2134Jul 16, 2013affected >= 2.0.0, < 2.3.14.3fixed 2.3.14.3
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
- affected >= 2.0.0, < 2.3.14.2fixed 2.3.14.2
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
- CVE-2013-1966Jul 10, 2013affected >= 2.0.0, < 2.3.14.2fixed 2.3.14.2
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
- CVE-2012-4387Sep 5, 2012affected >= 2.0.0, < 2.3.4.1fixed 2.3.4.1
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
- CVE-2012-0838Mar 2, 2012affected < 2.2.3.1fixed 2.2.3.1
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
- CVE-2012-0394Jan 8, 2012affected < 2.3.18fixed 2.3.18
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.
- CVE-2012-0393Jan 8, 2012affected < 2.2.3.1fixed 2.2.3.1
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
- CVE-2012-0392Jan 8, 2012affected < 2.2.3.1fixed 2.2.3.1
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
- affected < 2.2.3.1fixed 2.2.3.1
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
- CVE-2011-2088May 13, 2011affected < 2.2.2fixed 2.2.2
XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability th