VYPR

Struts

by Apache

Source repositories

CVEs (85)

  • CVE-2025-66675Dec 10, 2025
    risk 0.00cvss epss 0.01

    Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the…

  • CVE-2025-64775Dec 1, 2025
    risk 0.00cvss epss 0.01

    Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the…

  • CVE-2024-53677Dec 11, 2024
    risk 0.00cvss epss 0.78

    File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts:…

  • CVE-2023-50164Dec 7, 2023
    risk 0.00cvss epss 0.81

    An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or…

  • CVE-2023-41835Dec 5, 2023
    risk 0.00cvss epss 0.06

    When a Multipart request is performed but some of the fields exceed the maxStringLength  limit, the upload files will remain in struts.multipart.saveDir  even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts…

  • CVE-2023-34396Jun 14, 2023
    risk 0.00cvss epss 0.05

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater

  • CVE-2023-34149Jun 14, 2023
    risk 0.00cvss epss 0.05

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

  • CVE-2015-2992Feb 27, 2020
    risk 0.00cvss epss 0.07

    Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.

  • CVE-2015-1831Jul 16, 2015
    risk 0.00cvss epss 0.06

    The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.

  • CVE-2014-7809Dec 10, 2014
    risk 0.00cvss epss 0.03

    Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

  • CVE-2014-0116May 8, 2014
    risk 0.00cvss epss 0.07

    CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this…

  • CVE-2013-6348Nov 2, 2013
    risk 0.00cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.

  • CVE-2013-4316Sep 30, 2013
    risk 0.00cvss epss 0.08

    Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

  • CVE-2013-4310Sep 30, 2013
    risk 0.00cvss epss 0.07

    Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.

  • CVE-2013-2135Jul 16, 2013
    risk 0.00cvss epss 0.14

    Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.

  • CVE-2012-4387Sep 5, 2012
    risk 0.00cvss epss 0.08

    Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.

  • CVE-2012-4386Sep 5, 2012
    risk 0.00cvss epss 0.03

    The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session…

  • CVE-2012-0838Mar 2, 2012
    risk 0.00cvss epss 0.14

    Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.

  • CVE-2012-0393Jan 8, 2012
    risk 0.00cvss epss 0.38

    The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

  • CVE-2011-2088May 13, 2011
    risk 0.00cvss epss 0.06

    XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability…

Page 4 of 5