8 matches found
CVE-2017-9805
CVE-2017-9805 affects the Apache Struts 2 REST plugin. The REST plugin uses an XStreamHandler with an XStream instance to deserialize XML without any type filtering, enabling remote code execution when processing crafted XML payloads. Affected versions are Struts 2.1.1–2.3.x before 2.3.34 and 2.5...
CVE-2025-68493
CVE-2025-68493 describes a Missing XML Validation vulnerability in Apache Struts (affecting 2.0.0–2.2.1, 2.2.1–6.1.0; fixed in 6.1.1). A connected exploit resource provides a PoC targeting the XXE weakness in XWork, including a read-file payload (e.g., /etc/passwd) via the vulnerable XML parsing ...
CVE-2016-1181
CVE-2016-1181 affects Apache Struts 1.x (1.1–1.3.10) where ActionServlet.java mishandles multithreaded access to an ActionForm, allowing a remote attacker to execute arbitrary code or cause a denial of service via a multipart request (related to CVE-2015-0899). The NVD description explicitly ties...
CVE-2016-1182
CVE-2016-1182 is referenced in Jira issues JSWSERVER-26635/26636 and JSDSERVER-16462/16461, tying the vulnerability to ActionServlet.java in Apache Struts 1.x (1.3.10) with improper Validator configuration. Exploitation concerns remote code execution (RCE) and DoS, with CVSS scores around 8.x (RC...
CVE-2016-4430
CVE-2016-4430 affects Apache Struts 2.3.20–2.3.28.1, where token validation is mishandled, enabling remote CSRF attacks via unspecified vectors. Public sources in connected docs (IBM security advisories and the NVD entry) corroborate the CSRF impact and tie it to the same Struts versions. The vul...
CVE-2012-1592
Apache Struts2 is affected by a local code execution vulnerability involving processing malformed XSLT files. The issue affects Struts2 versions prior to 2.5.22 and can allow a malicious user to upload and execute arbitrary files on the server. A fix exists with Struts 2.5.22 or later; advisory e...
CVE-2016-3090
CVE-2016-3090 — Affected product and details : Apache Struts 2.x prior to 2.3.20 is vulnerable. The issue lies in the TextParseUtil.translateVariables method, exposed via a crafted OGNL expression using ANTLR tooling. Impact : remote code execution (RCE) with network access. Exploitation : attack...
CVE-2025-66675
The CVE-2025-66675 issue is an Apache Struts Denial of Service vulnerability caused by a file leak during multipart request processing, which can lead to disk exhaustion. Affected versions are Struts 2.0.0–6.7.4 and 7.0.0–7.0.3. The documented remediation is to upgrade to Struts 6.8.0 or 7.1.1, w...