Skip to main content

Struts

64 CVEs product

Monthly

CVE-2025-68493 Maven HIGH PATCH This Week

Struts versions up to 2.2.1 is affected by improper restriction of xml external entity reference (CVSS 8.1).

Apache Struts XXE
NVD HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-64775 Maven HIGH POC PATCH This Week

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

Denial Of Service Apache Ubuntu Debian Struts +1
NVD GitHub HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-53677 Maven CRITICAL PATCH Act Now

File upload logic in Apache Struts is flawed. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Atlassian RCE Apache File Upload Struts
NVD
CVSS 4.0
9.5
EPSS
78.2%
CVE-2023-50164 Maven CRITICAL PATCH Act Now

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal RCE Information Disclosure File Upload Struts
NVD
CVSS 3.1
9.8
EPSS
80.8%
CVE-2023-41835 Maven HIGH PATCH This Week

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Struts
NVD
CVSS 3.1
7.5
EPSS
6.3%
CVE-2023-34396 Maven HIGH PATCH This Week

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.5.30, through 6.1.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Struts
NVD
CVSS 3.1
7.5
EPSS
5.5%
CVE-2023-34149 Maven MEDIUM PATCH This Month

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.5.30, through 6.1.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Struts
NVD
CVSS 3.1
6.5
EPSS
5.4%
CVE-2020-26259 Maven MEDIUM POC PATCH THREAT This Month

XStream is a Java library to serialize objects to XML and back again. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Java Command Injection Struts Xstream Debian Linux +1
NVD GitHub
CVSS 3.1
6.8
EPSS
82.4%
CVE-2020-26258 Maven HIGH POC PATCH THREAT This Week

XStream is a Java library to serialize objects to XML and back again. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java SSRF Struts Xstream Debian Linux +1
NVD GitHub
CVSS 3.1
7.7
EPSS
82.2%
CVE-2020-17530 Maven CRITICAL POC KEV PATCH THREAT Act Now

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache RCE Struts Business Intelligence Communications Diameter Intelligence Hub +5
NVD GitHub
CVSS 3.1
9.8
EPSS
95.9%
CVE-2018-11776 Maven HIGH POC KEV PATCH THREAT Act Now

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then:. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache RCE Struts Active Iq Unified Manager Oncommand Insight +5
NVD GitHub Exploit-DB
CVSS 3.1
8.1
EPSS
100.0%
CVE-2018-1327 Maven HIGH PATCH This Week

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Struts
NVD
CVSS 3.0
7.5
EPSS
9.2%
CVE-2017-15707 Maven MEDIUM PATCH This Month

In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

Apache Information Disclosure Struts Oncommand Balance Agile Plm Framework +9
NVD
CVSS 3.0
6.2
EPSS
1.5%
CVE-2016-3090 Maven HIGH PATCH This Week

The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Apache Struts
NVD
CVSS 3.0
8.8
EPSS
2.2%
CVE-2016-4461 Maven HIGH PATCH This Week

{}" sequence in a tag attribute, aka forced double OGNL evaluation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Apache Struts Oncommand Balance
NVD
CVSS 3.0
8.8
EPSS
1.7%
CVE-2015-5169 Maven MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Apache Struts
NVD
CVSS 3.0
6.1
EPSS
1.2%
CVE-2017-9804 Maven HIGH PATCH This Week

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Struts
NVD
CVSS 3.0
7.5
EPSS
4.6%
CVE-2017-9793 Maven HIGH PATCH This Week

The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Struts
NVD
CVSS 3.0
7.5
EPSS
7.9%
CVE-2017-12611 Maven CRITICAL POC PATCH THREAT Act Now

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.2%.

Apache Information Disclosure Struts
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
94.2%
Threat
6.3
CVE-2016-8738 Maven MEDIUM PATCH This Month

In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Apache Information Disclosure Struts
NVD
CVSS 3.0
5.9
EPSS
1.1%
CVE-2016-6795 Maven CRITICAL PATCH Act Now

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Apache RCE Struts
NVD
CVSS 3.0
9.8
EPSS
5.0%
CVE-2015-5209 Maven HIGH PATCH This Week

Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Struts
NVD
CVSS 3.0
7.5
EPSS
1.4%
CVE-2017-9787 Maven HIGH PATCH This Week

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Apache Information Disclosure Struts
NVD
CVSS 3.0
7.5
EPSS
8.2%
CVE-2017-7672 Maven MEDIUM PATCH This Month

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Apache Information Disclosure Struts
NVD
CVSS 3.0
5.9
EPSS
1.3%
CVE-2016-4436 Maven CRITICAL PATCH Act Now

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Apache Struts
NVD
CVSS 3.0
9.8
EPSS
5.7%
CVE-2016-4465 Maven MEDIUM PATCH This Month

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.4%.

Denial Of Service Apache Struts
NVD
CVSS 3.0
5.3
EPSS
10.4%
CVE-2016-4438 Maven CRITICAL PATCH Act Now

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 62.1%.

RCE Apache Struts
NVD
CVSS 3.0
9.8
EPSS
62.1%
CVE-2016-4433 Maven HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Struts
NVD
CVSS 3.0
7.5
EPSS
3.5%
CVE-2016-4431 Maven HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Struts
NVD
CVSS 3.0
7.5
EPSS
8.2%
CVE-2016-4430 Maven HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Apache Struts
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2016-1182 Maven HIGH PATCH This Week

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Denial Of Service Java Apache Struts
NVD GitHub
CVSS 3.0
8.2
EPSS
1.8%
CVE-2016-1181 Maven HIGH PATCH This Week

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

RCE Denial Of Service Java Apache Banking Platform +2
NVD GitHub
CVSS 3.0
8.1
EPSS
9.4%
CVE-2015-0899 Maven HIGH PATCH Act Now

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 69.5%.

Authentication Bypass Apache Struts
NVD
CVSS 3.0
7.5
EPSS
69.5%
CVE-2016-3093 Maven MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Apache Ognl Struts
NVD
CVSS 3.0
5.3
EPSS
5.1%
CVE-2016-3087 Maven CRITICAL POC PATCH THREAT Act Now

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an !. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 87.0%.

RCE Apache Struts
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
87.0%
Threat
6.1
CVE-2016-3082 Maven CRITICAL PATCH Act Now

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 24.6%.

RCE Apache Struts
NVD
CVSS 3.0
9.8
EPSS
24.6%
CVE-2016-3081 Maven HIGH POC PATCH THREAT Act Now

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 94.0%.

Command Injection RCE Apache Struts Siebel E Billing
NVD Exploit-DB
CVSS 3.0
8.1
EPSS
94.0%
Threat
5.9
CVE-2016-4003 Maven MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Apache Struts
NVD
CVSS 3.0
6.1
EPSS
2.6%
CVE-2016-2162 Maven MEDIUM PATCH This Month

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Apache Struts
NVD
CVSS 3.0
6.1
EPSS
1.2%
CVE-2016-0785 Maven HIGH PATCH Act Now

{}" sequence in a tag attribute, aka forced double OGNL evaluation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 17.8%.

RCE Apache Struts
NVD
CVSS 3.0
8.8
EPSS
17.8%
CVE-2015-1831 Maven HIGH PATCH This Week

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Struts
NVD
CVSS 2.0
7.5
EPSS
4.5%
CVE-2014-7809 Maven MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Apache Struts
NVD
CVSS 2.0
6.8
EPSS
7.5%
CVE-2014-0116 Maven MEDIUM PATCH This Month

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Privilege Escalation Apache Struts
NVD
CVSS 2.0
5.8
EPSS
2.8%
CVE-2014-0114 Maven HIGH POC PATCH THREAT Act Now

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 92.7%.

RCE Apache Commons Beanutils Struts
NVD Exploit-DB VulDB
CVSS 2.0
7.5
EPSS
92.7%
Threat
5.8
CVE-2014-0113 Maven HIGH POC PATCH THREAT Act Now

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.1%.

RCE Privilege Escalation Apache Struts
NVD Exploit-DB VulDB
CVSS 2.0
7.5
EPSS
82.1%
Threat
5.5
CVE-2014-0112 Maven HIGH POC PATCH THREAT Act Now

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 91.4%.

RCE Privilege Escalation Apache Struts
NVD Exploit-DB VulDB
CVSS 2.0
7.5
EPSS
91.4%
Threat
5.7
CVE-2014-0094 Maven MEDIUM POC PATCH THREAT This Month

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 93.1%.

Information Disclosure Apache Struts
NVD Exploit-DB VulDB
CVSS 2.0
5.0
EPSS
93.1%
Threat
5.3
CVE-2013-6348 Maven MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Apache XSS Struts
NVD
CVSS 2.0
4.3
EPSS
2.8%
CVE-2013-4316 Maven CRITICAL PATCH Act Now

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Struts Flexcube Private Banking Mysql Enterprise Monitor +1
NVD
CVSS 2.0
10.0
EPSS
6.2%
CVE-2013-4310 Maven MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Privilege Escalation Apache Struts
NVD
CVSS 2.0
5.8
EPSS
8.7%
CVE-2013-2248 Maven MEDIUM POC PATCH THREAT This Month

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 92.0%.

Apache Open Redirect Struts
NVD Exploit-DB
CVSS 2.0
5.8
EPSS
92.0%
Threat
5.4
CVE-2013-2135 Maven CRITICAL PATCH Act Now

{}" and "%{}" sequences, which causes the OGNL code to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Epss exploitation probability 83.0%.

Code Injection Apache RCE Struts
NVD
CVSS 2.0
9.3
EPSS
83.0%
Threat
4.4
CVE-2013-2134 Maven CRITICAL POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.5%.

Code Injection Apache RCE Struts
NVD Exploit-DB
CVSS 2.0
9.3
EPSS
91.5%
Threat
6.1
CVE-2013-2115 Maven HIGH POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 87.6%.

Code Injection Apache RCE Struts
NVD Exploit-DB
CVSS 3.1
8.1
EPSS
87.6%
Threat
5.7
CVE-2013-1966 Maven CRITICAL POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.1%.

Code Injection Apache RCE Struts
NVD Exploit-DB
CVSS 2.0
9.3
EPSS
91.1%
Threat
6.1
CVE-2013-1965 Maven CRITICAL POC PATCH THREAT Act Now

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.8%.

Code Injection Apache RCE Struts Struts2 Showcase
NVD
CVSS 2.0
9.3
EPSS
91.8%
Threat
6.1
CVE-2012-4387 Maven MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Denial Of Service Apache Struts
NVD
CVSS 2.0
5.0
EPSS
7.9%
CVE-2012-4386 Maven MEDIUM PATCH This Month

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Apache Struts
NVD
CVSS 2.0
6.8
EPSS
3.2%
CVE-2012-0838 Maven CRITICAL PATCH Act Now

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 11.1%.

Apache RCE Struts
NVD
CVSS 2.0
10.0
EPSS
11.1%
CVE-2012-1007 Maven MEDIUM POC THREAT This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 23.0%.

Apache XSS Struts
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
23.0%
CVE-2012-1006 Maven MEDIUM POC PATCH THREAT This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 78.1%.

Apache XSS Struts
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
78.1%
Threat
4.7
CVE-2012-0394 Maven MEDIUM POC PATCH THREAT This Month

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 92.6%.

Code Injection Apache RCE Struts
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
92.6%
Threat
5.6
CVE-2012-0393 Maven MEDIUM POC PATCH THREAT This Month

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 58.5%.

Privilege Escalation Apache Java Struts
NVD Exploit-DB
CVSS 2.0
6.4
EPSS
58.5%
Threat
4.5
CVE-2012-0392 Maven MEDIUM POC PATCH THREAT This Month

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 75.0%.

RCE Apache Java Struts
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
75.0%
Threat
5.1
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Struts versions up to 2.2.1 is affected by improper restriction of xml external entity reference (CVSS 8.1).

Apache Struts XXE
NVD HeroDevs VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

Denial Of Service Apache Ubuntu +3
NVD GitHub HeroDevs VulDB
EPSS 78% CVSS 9.5
CRITICAL PATCH Act Now

File upload logic in Apache Struts is flawed. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Atlassian RCE Apache +2
NVD
EPSS 81% CVSS 9.8
CRITICAL PATCH Act Now

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal RCE Information Disclosure +2
NVD
EPSS 6% CVSS 7.5
HIGH PATCH This Week

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Struts
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.5.30, through 6.1.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Struts
NVD
EPSS 5% CVSS 6.5
MEDIUM PATCH This Month

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.5.30, through 6.1.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Struts
NVD
EPSS 82% CVSS 6.8
MEDIUM POC PATCH THREAT This Month

XStream is a Java library to serialize objects to XML and back again. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Java Command Injection Struts +3
NVD GitHub
EPSS 82% CVSS 7.7
HIGH POC PATCH THREAT This Week

XStream is a Java library to serialize objects to XML and back again. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java SSRF Struts +3
NVD GitHub
EPSS 96% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache RCE Struts +7
NVD GitHub
EPSS 100% CVSS 8.1
HIGH POC KEV PATCH THREAT Act Now

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then:. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache RCE Struts +7
NVD GitHub Exploit-DB
EPSS 9% CVSS 7.5
HIGH PATCH This Week

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Struts
NVD
EPSS 2% CVSS 6.2
MEDIUM PATCH This Month

In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

Apache Information Disclosure Struts +11
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Apache Struts
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

{}" sequence in a tag attribute, aka forced double OGNL evaluation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Apache Struts +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Apache Struts
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Struts
NVD
EPSS 8% CVSS 7.5
HIGH PATCH This Week

The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Struts
NVD
EPSS 94% 6.3 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.2%.

Apache Information Disclosure Struts
NVD Exploit-DB
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Apache Information Disclosure Struts
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Apache RCE +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Struts
NVD
EPSS 8% CVSS 7.5
HIGH PATCH This Week

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Apache Information Disclosure +1
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Apache Information Disclosure Struts
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Apache Struts
NVD
EPSS 10% CVSS 5.3
MEDIUM PATCH This Month

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.4%.

Denial Of Service Apache Struts
NVD
EPSS 62% CVSS 9.8
CRITICAL PATCH Act Now

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 62.1%.

RCE Apache Struts
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Struts
NVD
EPSS 8% CVSS 7.5
HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Struts
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Apache Struts
NVD
EPSS 2% CVSS 8.2
HIGH PATCH This Week

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Denial Of Service Java +2
NVD GitHub
EPSS 9% CVSS 8.1
HIGH PATCH This Week

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

RCE Denial Of Service Java +4
NVD GitHub
EPSS 69% CVSS 7.5
HIGH PATCH Act Now

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 69.5%.

Authentication Bypass Apache Struts
NVD
EPSS 5% CVSS 5.3
MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Apache Ognl +1
NVD
EPSS 87% 6.1 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an !. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 87.0%.

RCE Apache Struts
NVD Exploit-DB
EPSS 25% CVSS 9.8
CRITICAL PATCH Act Now

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 24.6%.

RCE Apache Struts
NVD
EPSS 94% 5.9 CVSS 8.1
HIGH POC PATCH THREAT Act Now

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 94.0%.

Command Injection RCE Apache +2
NVD Exploit-DB
EPSS 3% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Apache Struts
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Apache Struts
NVD
EPSS 18% CVSS 8.8
HIGH PATCH Act Now

{}" sequence in a tag attribute, aka forced double OGNL evaluation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 17.8%.

RCE Apache Struts
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Apache Struts
NVD
EPSS 8% CVSS 6.8
MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Apache Struts
NVD
EPSS 3% CVSS 5.8
MEDIUM PATCH This Month

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Privilege Escalation Apache Struts
NVD
EPSS 93% 5.8 CVSS 7.5
HIGH POC PATCH THREAT Act Now

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 92.7%.

RCE Apache Commons Beanutils +1
NVD Exploit-DB VulDB
EPSS 82% 5.5 CVSS 7.5
HIGH POC PATCH THREAT Act Now

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 82.1%.

RCE Privilege Escalation Apache +1
NVD Exploit-DB VulDB
EPSS 91% 5.7 CVSS 7.5
HIGH POC PATCH THREAT Act Now

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 91.4%.

RCE Privilege Escalation Apache +1
NVD Exploit-DB VulDB
EPSS 93% 5.3 CVSS 5.0
MEDIUM POC PATCH THREAT This Month

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 93.1%.

Information Disclosure Apache Struts
NVD Exploit-DB VulDB
EPSS 3% CVSS 4.3
MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Apache XSS Struts
NVD
EPSS 6% CVSS 10.0
CRITICAL PATCH Act Now

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Struts +3
NVD
EPSS 9% CVSS 5.8
MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Privilege Escalation Apache Struts
NVD
EPSS 92% 5.4 CVSS 5.8
MEDIUM POC PATCH THREAT This Month

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 92.0%.

Apache Open Redirect Struts
NVD Exploit-DB
EPSS 83% 4.4 CVSS 9.3
CRITICAL PATCH Act Now

{}" and "%{}" sequences, which causes the OGNL code to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Epss exploitation probability 83.0%.

Code Injection Apache RCE +1
NVD
EPSS 92% 6.1 CVSS 9.3
CRITICAL POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.5%.

Code Injection Apache RCE +1
NVD Exploit-DB
EPSS 88% 5.7 CVSS 8.1
HIGH POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 87.6%.

Code Injection Apache RCE +1
NVD Exploit-DB
EPSS 91% 6.1 CVSS 9.3
CRITICAL POC PATCH THREAT Act Now

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.1%.

Code Injection Apache RCE +1
NVD Exploit-DB
EPSS 92% 6.1 CVSS 9.3
CRITICAL POC PATCH THREAT Act Now

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.8%.

Code Injection Apache RCE +2
NVD
EPSS 8% CVSS 5.0
MEDIUM PATCH This Month

Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Denial Of Service Apache +1
NVD
EPSS 3% CVSS 6.8
MEDIUM PATCH This Month

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Apache Struts
NVD
EPSS 11% CVSS 10.0
CRITICAL PATCH Act Now

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 11.1%.

Apache RCE Struts
NVD
EPSS 23% CVSS 4.3
MEDIUM POC THREAT This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 23.0%.

Apache XSS Struts
NVD Exploit-DB
EPSS 78% 4.7 CVSS 4.3
MEDIUM POC PATCH THREAT This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 78.1%.

Apache XSS Struts
NVD Exploit-DB
EPSS 93% 5.6 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 92.6%.

Code Injection Apache RCE +1
NVD Exploit-DB
EPSS 59% 4.5 CVSS 6.4
MEDIUM POC PATCH THREAT This Month

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 58.5%.

Privilege Escalation Apache Java +1
NVD Exploit-DB
EPSS 75% 5.1 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 75.0%.

RCE Apache Java +1
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy