Apache Struts 2.x <= 2.3.37 / 2.5.x <= 2.5.33 / 6.x < 6.1.1 XML External Entity Injection in XWork (S2-069)

The version of Apache Struts installed on the remote host is 2.0.0 through 2.3.37, 2.5.0 through 2.5.33, or 6.x prior to 6.1.1. It is, therefore, affected by an XML external entity injection XXE vulnerability in the XWork component: - Missing XML Validation vulnerability in Apache Struts, Apache...

be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2) +58 more potentially affected by CVE-2025-68493 via com.opensymphony:xwork (>=2.0.4 <=2.1.3)

com.opensymphony:xwork MAVEN version =2.0.4, =1.2.1, =4.0.1, =0.9.2, =1.1.5, =1.3.3, =1.3.1, =2.0.5-incubating, =2.0.9, =2.0.11, =2.0.9, =2.0.9, =2.0.9, =2.1.6 - org.apache.struts:struts2-convention-plugin =2.1.6 and more Source cves: CVE-2025-68493 Source advisory: OSV:GHSA-QCFC-HMRC-59X7...

CVE-2025-68493 Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue...

EUVD-2022-4099

Malicious code in bioql PyPI...

GHSA-H7MF-QRM9-2848 OpenSymphony XWork vulnerable to improper input validation

XWork is an command-pattern framework that is used to power WebWork as well as other applications. Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language OGNL expression...

Upgrading to 5.5.1 from 5.4.3 didn't update xwork from 1.13 to 1.17

We recently upgraded our instance following your security advisory. It was discovered shortly after the upgrade that the xwork file that was vulnerable 1.13 was not upgraded to the safe version 1.17. This could have just been specific to our instance but you should check your upgrade process and...

CVE-2010-1870

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "" protection mechanis...