threat
engine
.sh
Back
·
··:··
Home
/
Product
/
apache struts
Product
apache struts
90 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-68493
>= 2.0.0 and <= 2.3.37
Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1;
8.1
HIGH
CVE-2025-66675
>= 2.0.0 and <= 2.3.37
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue af
8.2
HIGH
CVE-2025-64775
>= 2.0.0 and < 6.8.0
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue af
7.5
HIGH
CVE-2024-53677
>= 2.0.0 and < 6.4.0
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under s
9.8
CRITICAL
CVE-2023-50164
>= 2.0.0 and < 2.5.33
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a
9.8
CRITICAL
CVE-2023-41835
>= 2.0.0 and < 2.5.32
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in s
7.5
HIGH
CVE-2023-34396
< 2.5.31
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects
4.3
MEDIUM
CVE-2023-34149
< 2.5.31
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects
4.3
MEDIUM
CVE-2021-31805
>= 2.0.0 and <= 2.5.29
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes coul
9.8
CRITICAL
CVE-2020-26259
< 6.0.0
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitr
6.8
MEDIUM
CVE-2020-26258
< 6.0.0
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Requ
6.3
MEDIUM
CVE-2020-17530
>= 2.0.0 and < 2.5.30
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software :
9.8
CRITICAL
CVE-2019-0233
>= 2.0.0 and <= 2.5.20
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
7.5
HIGH
CVE-2019-0230
>= 2.0.0 and <= 2.5.20
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remot
9.8
CRITICAL
CVE-2015-2992
>= 2.0.0 and < 2.3.20
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
6.1
MEDIUM
CVE-2012-1592
all versions
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user uploa
8.8
HIGH
CVE-2011-3923
>= 2.0.0 and < 2.3.1.2
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute
9.8
CRITICAL
CVE-2018-11776
>= 2.0.4 and < 2.3.35
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace i
8.1
HIGH
CVE-2018-1327
>= 2.1.1 and <= 2.5.14.1
The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious r
7.5
HIGH
CVE-2017-15707
>= 2.5 and <= 2.5.14
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS
6.2
MEDIUM
CVE-2016-3090
all versions
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code v
8.8
HIGH
CVE-2016-4461
>= 2.0.0 and < 2.3.29
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka for
8.8
HIGH
CVE-2015-5169
>= 2.0.0 and <= 2.3.16.3
Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.
6.1
MEDIUM
CVE-2017-9804
all versions
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in
7.5
HIGH
CVE-2017-9793
all versions
The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is
7.5
HIGH
CVE-2017-12611
all versions
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of s
9.8
CRITICAL
CVE-2016-8738
all versions
In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used,
5.9
MEDIUM
CVE-2016-6795
all versions
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL whi
9.8
CRITICAL
CVE-2017-9805
>= 2.1.2 and < 2.3.34
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance
8.1
HIGH
CVE-2015-5209
all versions
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container
7.5
HIGH
CVE-2017-9787
all versions
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to A
7.5
HIGH
CVE-2017-7672
all versions
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL w
5.9
MEDIUM
CVE-2017-9791
all versions
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw
9.8
CRITICAL
CVE-2017-5638
>= 2.2.3 and < 2.3.32
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and
9.8
CRITICAL
CVE-2016-4436
all versions
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper ac
9.8
CRITICAL
CVE-2016-4465
all versions
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial
5.3
MEDIUM
CVE-2016-4438
all versions
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted express
9.8
CRITICAL
CVE-2016-4433
all versions
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection att
7.5
HIGH
CVE-2016-4431
all versions
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection att
7.5
HIGH
CVE-2016-4430
all versions
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request f
8.8
HIGH
CVE-2016-1182
all versions
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remo
8.2
HIGH
CVE-2016-1181
all versions
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows r
8.1
HIGH
CVE-2015-0899
all versions
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access rest
7.5
HIGH
CVE-2016-3093
all versions
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows rem
5.3
MEDIUM
CVE-2016-3087
all versions
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remot
9.8
CRITICAL
CVE-2016-3082
all versions
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to
9.8
CRITICAL
CVE-2016-3081
all versions
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remot
8.1
HIGH
CVE-2016-4003
>= 2.0.0 and <= 2.3.24.1
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28,
6.1
MEDIUM
CVE-2016-2162
all versions
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remo
6.1
MEDIUM
CVE-2016-0785
>= 2.0.0 and < 2.3.20.3
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka for
8.8
HIGH
CVE-2015-1831
all versions
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an ap
CVE-2014-7809
all versions
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CS
CVE-2014-0116
all versions
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access
CVE-2014-0114
all versions
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other produ
CVE-2014-0113
>= 2.0.0 and < 2.3.16.2
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to
CVE-2014-0112
>= 2.0.0 and < 2.3.16.2
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote
CVE-2014-0094
>= 2.0.0 and < 2.3.16.1
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class p
CVE-2013-6348
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web scrip
CVE-2013-4316
all versions
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
CVE-2013-4310
all versions
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
CVE-2013-2251
>= 2.0.0 and <= 2.3.15
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1
9.8
CRITICAL
CVE-2013-2248
all versions
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary
CVE-2013-2135
>= 2.0.0 and < 2.3.14.3
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that con
CVE-2013-2134
>= 2.0.0 and < 2.3.14.3
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name th
CVE-2013-2115
>= 2.0.0 and <= 2.3.14.1
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly
8.1
HIGH
CVE-2013-1966
>= 2.0.0 and < 2.3.14.1
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly
CVE-2013-1965
>= 2.0.0 and <= 2.3.13
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary
CVE-2012-4387
all versions
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name
CVE-2012-4386
all versions
The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter,
CVE-2012-0838
>= 2.0.0 and <= 2.2.3
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows re
CVE-2012-1007
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script
CVE-2012-1006
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary w
CVE-2011-5057
>= 2.0.0 and < 2.3.3
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as
CVE-2012-0394
>= 2.0.0 and <= 2.3.17
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execut
CVE-2012-0393
>= 2.1.0 and < 2.3.1.1
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows re
CVE-2012-0392
>= 2.0.0 and < 2.3.1
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote att
CVE-2012-0391
< 2.2.3.1
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain ex
9.8
CRITICAL
CVE-2011-2088
all versions
XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially
CVE-2011-2087
all versions
Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apac
CVE-2011-1772
all versions
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymp
CVE-2010-1870
all versions
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucib
CVE-2008-6682
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote att
CVE-2008-2025
all versions
Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-10
CVE-2007-6726
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow re
CVE-2008-6505
all versions
Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to
CVE-2008-6504
all versions
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products
CVE-2006-1548
<= 1.2.8
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in A
CVE-2006-1547
< 1.2.9
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of
7.5
HIGH
CVE-2006-1546
<= 1.2.8
Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache
CVE-2005-3745
all versions
Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arb
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin