Skip to main content

Struts CVE-2025-68493

HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2026-01-11 security@apache.org GHSA-qcfc-hmrc-59x7
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Red Hat
7.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 11, 2026 - 13:15 nvd
HIGH 8.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 51 maven packages depend on org.apache.struts.xwork:xwork-core (2 direct, 49 indirect)

Ecosystem-wide dependent count for version 2.2.1.

DescriptionNVD

Missing XML Validation vulnerability in Apache Struts, Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

Users are recommended to upgrade to version 6.1.1, which fixes the issue.

AnalysisAI

Struts versions up to 2.2.1 is affected by improper restriction of xml external entity reference (CVSS 8.1).

Technical ContextAI

This vulnerability (CWE-611: Improper Restriction of XML External Entity Reference) affects Struts. Missing XML Validation vulnerability in Apache Struts, Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

Users are recommended to upgrade to version 6.1.1, which fixes the issue.

RemediationAI

Update to version 6.1.1 or later. Restrict network access to the affected service where possible.

More in Struts

View all
CVE-2013-1966 CRITICAL POC
9.3 Jul 10

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not

CVE-2016-3087 CRITICAL POC
9.8 Jun 07

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, a

CVE-2016-3081 HIGH POC
8.1 Apr 26

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, a

CVE-2014-0114 HIGH POC
7.5 Apr 30

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in o

CVE-2014-0112 HIGH POC
7.5 Apr 29

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which all

CVE-2017-12611 CRITICAL POC
9.8 Sep 20

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag in

CVE-2013-2115 HIGH POC
8.1 Jul 10

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not

CVE-2012-0394 MEDIUM POC
6.8 Jan 08

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers

CVE-2013-1965 CRITICAL POC
9.3 Jul 10

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute

CVE-2013-2134 CRITICAL POC
9.3 Jul 16

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted acti

CVE-2014-0094 MEDIUM POC
5.0 Mar 11

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via t

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

Vendor StatusVendor

Share

CVE-2025-68493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy