Apache struts

This hub aggregates every CVE we track for Apache struts, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Apache struts.

• CVE-2025-68493Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component8.1Jan 11, 2026
• CVE-2025-66675Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed8.2Dec 10, 2025
• CVE-2025-64775Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS)7.5Dec 1, 2025
• CVE-2024-53677Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks9.8Dec 11, 2024
• CVE-2023-50164Apache Struts: File upload component had a directory traversal vulnerability9.8Dec 7, 2023
• CVE-2023-41835Apache Struts: excessive disk usage7.5Dec 5, 2023
• CVE-2023-34396Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms4.3Jun 14, 2023
• CVE-2023-34149Apache Struts: DoS via OOM owing to not properly checking of list bounds4.3Jun 14, 2023
• CVE-2021-31805Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.9.8Apr 12, 2022
• CVE-2020-17530Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.KEV9.8Dec 11, 2020
• CVE-2015-2992Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.6.1Feb 27, 2020
• CVE-2018-11776Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then...KEV8.1Aug 22, 2018
• CVE-2018-1327The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache St...7.5Mar 27, 2018
• CVE-2017-15707In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.6.2Dec 1, 2017
• CVE-2017-9804In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL whic...7.5Sep 20, 2017