pkg:Maven/org.apache.struts:struts2-core

60 total CVEsCRITICAL14HIGH15MEDIUM8

✅ Check your installed version

All known vulnerabilities

  • CRITICAL10.0CVE-2017-5638⚠ KEVApache Struts vulnerable to remote arbitrary command execution due to improper input validation
    >= 2.3.0, < 2.3.32
  • CRITICAL9.8CVE-2013-2251⚠ KEVCode injection in Apache Struts
    from 0, < 2.3.15.1
  • CRITICAL9.8CVE-2012-0391⚠ KEVApache Struts Remote Java Code Execution
    from 0, < 2.2.3.1
  • CRITICAL9.8CVE-2020-17530⚠ KEVRemote code execution in Apache Struts
    >= 2.0.0, < 2.5.26
  • HIGH8.1CVE-2018-11776⚠ KEVApache Struts vulnerable to remote command execution (RCE) due to improper input validation
    >= 2.0.4, < 2.3.35
  • CRITICAL9.8CVE-2024-53677Apache Struts file upload logic is flawed
    from 0, < 6.4.0
  • CRITICAL9.8CVE-2023-50164Apache Struts vulnerable to path traversal
    >= 2.0.0, < 2.5.33
  • CRITICAL9.8CVE-2016-3082Remote Code Execution in Apache Struts
    from 0, < 2.3.20.3
  • CRITICAL9.8CVE-2016-4436Apache Struts improper action name cleanup
    >= 2.0.0, < 2.3.29
  • CRITICAL9.8CVE-2016-3087Apache Struts vulnerable to arbitrary remote code execution due to improper input validation
    >= 2.3.19, < 2.3.20.3
  • CRITICAL9.8CVE-2016-4438Arbitrary code execution in Apache Struts 2
    >= 2.3.19, < 2.3.29
  • CRITICAL9.8CVE-2011-3923Struts ParameterInterceptor vulnerability allows remote command execution
    >= 2.0.0, < 2.3.1.2
  • CRITICAL9.8CVE-2021-31805Expression Language Injection in Apache Struts
    >= 2.0.0, < 2.5.30
  • CRITICAL9.8CVE-2019-0230Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts
    >= 2.0.0, < 2.5.22
  • CRITICAL9.8CVE-2017-12611Apache Struts 2.0.1 uses an unintentional expression in a Freemarker tag instead of string literal
    >= 2.0.1, < 2.3.34
  • HIGH8.8CVE-2016-4461Apache Struts forced double OGNL evaluation
    >= 2.0.0, < 2.3.29
  • HIGH8.8CVE-2016-0785Apache Struts RCE Vulnerability
    >= 2.0.0, < 2.3.20.3
  • HIGH8.8CVE-2012-1592Unrestricted Upload of File with Dangerous Type in Apache Struts2
    >= 2.0, < 2.5.22
  • HIGH8.2CVE-2025-66675Apache Struts has a Denial of Service vulnerability
    >= 2.0.0, < 6.8.0
  • HIGH8.1CVE-2025-68493Apache Struts 2 is Missing XML Validation
    >= 2.0.0, <= 2.3.37
  • HIGH8.1CVE-2016-3081Apache Struts RCE Vulnerability
    >= 2.3.19, < 2.3.20.3
  • HIGH8.1CVE-2013-2115Code injection in Apache Struts
    >= 2.0.0, < 2.3.14.2
  • HIGH7.5CVE-2025-64775Apache Struts is Vulnerable to DoS via File Leak
    >= 6.0.0, < 6.8.0
  • HIGH7.5CVE-2023-41835Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability
    >= 6.2.0, < 6.3.0.1
  • HIGH7.5CVE-2023-34396Apache Struts vulnerable to memory exhaustion
    from 0, < 2.5.31
  • HIGH7.5CVE-2019-0233Improper Preservation of Permissions in Apache Struts
    >= 2.0.0, < 2.5.22
  • HIGH7.5CVE-2015-5209Special top object can be used to access Struts' internals
    from 0, < 2.3.24.1
  • HIGH7.5CVE-2017-9804Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used
    >= 2.3.7, < 2.3.34
  • HIGH7.5CVE-2017-9787Spring AOP functionality (Struts) vulnerable to DoS attack
    >= 2.3.7, < 2.3.33
  • MEDIUM6.5CVE-2023-34149Apache Struts vulnerable to memory exhaustion
    from 0, < 2.5.31
  • MEDIUM6.1CVE-2016-2162Apache Struts XSS Vulnerability
    >= 2.0.0, < 2.3.28
  • MEDIUM6.1CVE-2015-5169Cross-site Scripting in Apache Struts
    from 0, < 2.3.20
  • MEDIUM6.1CVE-2016-4003Cross-site Scripting in Apache Struts
    >= 2.0.0, < 2.3.28
  • MEDIUM5.9CVE-2016-8738Apache Struts vulnerable to possible DoS attack when using URLValidator
    >= 2.5.0, < 2.5.13
  • MEDIUM5.9CVE-2017-7672Apache Struts Improper Input Validation vulnerability
    >= 2.5.0, < 2.5.12
  • MEDIUM5.3CVE-2016-3093Denial of service in Apache Struts
    >= 2.0.0, < 2.3.24.3
  • MEDIUM5.3CVE-2016-4465Apache Struts vulnerable to possible DoS attack when using URLValidator
    >= 2.3.20, < 2.3.29
  • CVE-2015-2992Cross-site Scripting in Apache Struts
    from 0, < 2.3.20
  • CVE-2008-6682Apache Struts is vulnerable to Cross-site Scripting
    >= 2.0.0, < 2.0.11.1
  • CVE-2008-6505Apache Struts directory traversal vulnerability
    >= 2.0.0, < 2.0.12
  • CVE-2011-1772Cross-site Scripting in Apache Struts
    from 0, < 2.2.3
  • CVE-2013-6348Apache Struts is vulnerable to Cross-site Scripting
    from 0, < 2.3.16
  • CVE-2013-4310Apache Struts2 Broken Access Control Vulnerability
    from 0, < 2.3.15.3
  • CVE-2013-4316Code injection in Apache Struts
    >= 2.0.0, < 2.3.15.2
  • CVE-2013-2248Open redirect in Apache Struts
    from 0, < 2.3.15.1
  • CVE-2012-4386Cross-Site Request Forgery in Apache Struts
    >= 2.0.0, < 2.3.4.1
  • CVE-2015-1831Incomplete exclude pattern in Apache Struts
    >= 2.0.0, < 2.3.20.1
  • CVE-2014-7809Cross-Site Request Forgery in Apache Struts
    from 0, < 2.3.20
  • CVE-2013-2134Arbitrary code execution in Apache Struts 2
    >= 2.0.0, < 2.3.14.3
  • CVE-2013-2135Arbitrary code execution in Apache Struts 2
    >= 2.0.0, < 2.3.14.3
  • CVE-2012-0838Apache Struts Code injection due to conversion error
    from 0, < 2.2.3.1
  • CVE-2014-0112ClassLoader manipulation in Apache Struts
    from 0, < 2.3.20
  • CVE-2013-1965Improper Control of Generation of Code in Apache Struts
    from 0, < 2.3.14.3
  • CVE-2013-1966Arbitrary code execution in Apache Struts
    >= 2.0.0, < 2.3.14.2
  • CVE-2014-0094ClassLoader manipulation in Apache Struts
    >= 2.0.0, < 2.3.16.2
  • CVE-2014-0113ClassLoader manipulation in Apache Struts
    from 0, < 2.3.20
  • CVE-2014-0116ClassLoader manipulation in Apache Struts
    from 0, < 2.3.20
  • CVE-2010-1870Server side object manipulation in Apache Struts
    from 0, < 2.2.1
  • CVE-2012-0392Apache Struts's CookieInterceptor component does not use the parameter-name whitelist
    from 0, < 2.2.3.1
  • CVE-2012-0393Apache Struts's ParameterInterceptor component does not prevent access to public constructors
    from 0, < 2.3.1.1