Struts
by Apache
Source repositories
CVEs (85)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-66675 | 0.00 | — | 0.01 | Dec 10, 2025 | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the… | |||
| CVE-2025-64775 | 0.00 | — | 0.01 | Dec 1, 2025 | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the… | |||
| CVE-2024-53677 | 0.00 | — | 0.78 | Dec 11, 2024 | File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts:… | |||
| CVE-2023-50164 | 0.00 | — | 0.81 | Dec 7, 2023 | An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or… | |||
| CVE-2023-41835 | 0.00 | — | 0.06 | Dec 5, 2023 | When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts… | |||
| CVE-2023-34396 | 0.00 | — | 0.05 | Jun 14, 2023 | Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater | |||
| CVE-2023-34149 | 0.00 | — | 0.05 | Jun 14, 2023 | Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. | |||
| CVE-2015-2992 | 0.00 | — | 0.07 | Feb 27, 2020 | Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability. | |||
| CVE-2015-1831 | 0.00 | — | 0.06 | Jul 16, 2015 | The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. | |||
| CVE-2014-7809 | 0.00 | — | 0.03 | Dec 10, 2014 | Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. | |||
| CVE-2014-0116 | 0.00 | — | 0.07 | May 8, 2014 | CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this… | |||
| CVE-2013-6348 | 0.00 | — | 0.06 | Nov 2, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/. | |||
| CVE-2013-4316 | 0.00 | — | 0.08 | Sep 30, 2013 | Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. | |||
| CVE-2013-4310 | 0.00 | — | 0.07 | Sep 30, 2013 | Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. | |||
| CVE-2013-2135 | 0.00 | — | 0.14 | Jul 16, 2013 | Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. | |||
| CVE-2012-4387 | 0.00 | — | 0.08 | Sep 5, 2012 | Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. | |||
| CVE-2012-4386 | 0.00 | — | 0.03 | Sep 5, 2012 | The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session… | |||
| CVE-2012-0838 | 0.00 | — | 0.14 | Mar 2, 2012 | Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. | |||
| CVE-2012-0393 | 0.00 | — | 0.38 | Jan 8, 2012 | The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. | |||
| CVE-2011-2088 | 0.00 | — | 0.06 | May 13, 2011 | XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability… |
- CVE-2025-66675Dec 10, 2025risk 0.00cvss —epss 0.01
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the…
- CVE-2025-64775Dec 1, 2025risk 0.00cvss —epss 0.01
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the…
- CVE-2024-53677Dec 11, 2024risk 0.00cvss —epss 0.78
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts:…
- CVE-2023-50164Dec 7, 2023risk 0.00cvss —epss 0.81
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or…
- CVE-2023-41835Dec 5, 2023risk 0.00cvss —epss 0.06
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts…
- CVE-2023-34396Jun 14, 2023risk 0.00cvss —epss 0.05
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
- CVE-2023-34149Jun 14, 2023risk 0.00cvss —epss 0.05
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
- CVE-2015-2992Feb 27, 2020risk 0.00cvss —epss 0.07
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
- CVE-2015-1831Jul 16, 2015risk 0.00cvss —epss 0.06
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.
- CVE-2014-7809Dec 10, 2014risk 0.00cvss —epss 0.03
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
- CVE-2014-0116May 8, 2014risk 0.00cvss —epss 0.07
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this…
- CVE-2013-6348Nov 2, 2013risk 0.00cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.
- CVE-2013-4316Sep 30, 2013risk 0.00cvss —epss 0.08
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
- CVE-2013-4310Sep 30, 2013risk 0.00cvss —epss 0.07
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
- CVE-2013-2135Jul 16, 2013risk 0.00cvss —epss 0.14
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
- CVE-2012-4387Sep 5, 2012risk 0.00cvss —epss 0.08
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
- CVE-2012-4386Sep 5, 2012risk 0.00cvss —epss 0.03
The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session…
- CVE-2012-0838Mar 2, 2012risk 0.00cvss —epss 0.14
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
- CVE-2012-0393Jan 8, 2012risk 0.00cvss —epss 0.38
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
- CVE-2011-2088May 13, 2011risk 0.00cvss —epss 0.06
XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability…
Page 4 of 5