Maven package
org.apache.struts/struts2-core
pkg:maven/org.apache.struts/struts2-core
Vulnerabilities (60)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68493 | — | >= 2.0.0, <= 2.3.37 | — | Jan 11, 2026 | Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. | ||
| CVE-2025-66675 | — | >= 2.0.0, < 6.8.0 | 6.8.0 | Dec 10, 2025 | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the | ||
| CVE-2025-64775 | — | >= 6.0.0, < 6.8.0 | 6.8.0 | Dec 1, 2025 | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the | ||
| CVE-2024-53677 | — | < 6.4.0 | 6.4.0 | Dec 11, 2024 | File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: fr | ||
| CVE-2023-50164 | — | >= 2.0.0, < 2.5.33 | 2.5.33 | Dec 7, 2023 | An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or gre | ||
| CVE-2023-41835 | — | >= 6.2.0, < 6.3.0.1 | 6.3.0.1 | Dec 5, 2023 | When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 o | ||
| CVE-2023-34396 | — | < 2.5.31 | 2.5.31 | Jun 14, 2023 | Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater | ||
| CVE-2023-34149 | — | < 2.5.31 | 2.5.31 | Jun 14, 2023 | Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. | ||
| CVE-2021-31805 | — | >= 2.0.0, < 2.5.30 | 2.5.30 | Apr 12, 2022 | The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user i | ||
| CVE-2020-17530 | — | KEV | >= 2.0.0, < 2.5.26 | 2.5.26 | Dec 11, 2020 | Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. | |
| CVE-2019-0233 | — | >= 2.0.0, < 2.5.22 | 2.5.22 | Sep 14, 2020 | An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. | ||
| CVE-2019-0230 | — | >= 2.0.0, < 2.5.22 | 2.5.22 | Sep 14, 2020 | Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | ||
| CVE-2015-2992 | — | < 2.3.20 | 2.3.20 | Feb 27, 2020 | Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability. | ||
| CVE-2012-1592 | — | >= 2.0, < 2.5.22 | 2.5.22 | Dec 5, 2019 | A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files. | ||
| CVE-2011-3923 | — | >= 2.0.0, < 2.3.1.2 | 2.3.1.2 | Nov 1, 2019 | Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. | ||
| CVE-2018-11776 | — | KEV | >= 2.0.4, < 2.3.35 | 2.3.35 | Aug 22, 2018 | Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or | |
| CVE-2016-4461 | Hig | 8.8 | >= 2.0.0, < 2.3.29 | 2.3.29 | Oct 16, 2017 | Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. | |
| CVE-2015-5169 | Med | 6.1 | < 2.3.20 | 2.3.20 | Sep 25, 2017 | Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. | |
| CVE-2017-9804 | Hig | 7.5 | >= 2.3.7, < 2.3.34 | 2.3.34 | Sep 20, 2017 | In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. N | |
| CVE-2017-12611 | Cri | 9.8 | >= 2.0.1, < 2.3.34 | 2.3.34 | Sep 20, 2017 | In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. |
- CVE-2025-68493Jan 11, 2026affected >= 2.0.0, <= 2.3.37
Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.
- CVE-2025-66675Dec 10, 2025affected >= 2.0.0, < 6.8.0fixed 6.8.0
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the
- CVE-2025-64775Dec 1, 2025affected >= 6.0.0, < 6.8.0fixed 6.8.0
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the
- CVE-2024-53677Dec 11, 2024affected < 6.4.0fixed 6.4.0
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: fr
- CVE-2023-50164Dec 7, 2023affected >= 2.0.0, < 2.5.33fixed 2.5.33
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or gre
- CVE-2023-41835Dec 5, 2023affected >= 6.2.0, < 6.3.0.1fixed 6.3.0.1
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 o
- CVE-2023-34396Jun 14, 2023affected < 2.5.31fixed 2.5.31
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
- CVE-2023-34149Jun 14, 2023affected < 2.5.31fixed 2.5.31
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
- CVE-2021-31805Apr 12, 2022affected >= 2.0.0, < 2.5.30fixed 2.5.30
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user i
- affected >= 2.0.0, < 2.5.26fixed 2.5.26
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
- CVE-2019-0233Sep 14, 2020affected >= 2.0.0, < 2.5.22fixed 2.5.22
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
- CVE-2019-0230Sep 14, 2020affected >= 2.0.0, < 2.5.22fixed 2.5.22
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
- CVE-2015-2992Feb 27, 2020affected < 2.3.20fixed 2.3.20
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
- CVE-2012-1592Dec 5, 2019affected >= 2.0, < 2.5.22fixed 2.5.22
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
- CVE-2011-3923Nov 1, 2019affected >= 2.0.0, < 2.3.1.2fixed 2.3.1.2
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
- affected >= 2.0.4, < 2.3.35fixed 2.3.35
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or
- affected >= 2.0.0, < 2.3.29fixed 2.3.29
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
- affected < 2.3.20fixed 2.3.20
Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.
- affected >= 2.3.7, < 2.3.34fixed 2.3.34
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. N
- affected >= 2.0.1, < 2.3.34fixed 2.3.34
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
Page 1 of 3