Org.apache.struts:struts2-core
This hub aggregates every CVE we track for Org.apache.struts:struts2-core, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
60
CVEs tracked
20
Critical
17
High
5
In CISA KEV
Severity distribution
MEDIUM22CRITICAL20HIGH17LOW1
Monthly trend
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
2
1
0
0
0
0
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Org.apache.struts:struts2-core.
- CVE-2025-68493Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component8.1
- CVE-2025-66675Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed8.2
- CVE-2025-64775Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS)7.5
- CVE-2024-53677Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks9.8
- CVE-2023-50164Apache Struts: File upload component had a directory traversal vulnerability9.8
- CVE-2023-41835Apache Struts: excessive disk usage7.5
- CVE-2023-34396Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms4.3
- CVE-2023-34149Apache Struts: DoS via OOM owing to not properly checking of list bounds4.3
- CVE-2021-31805Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.9.8
- CVE-2020-17530Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.KEV9.8
- CVE-2019-0233An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.7.5
- CVE-2019-0230Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.9.8
- CVE-2015-2992Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.6.1
- CVE-2012-1592A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.8.8
- CVE-2011-3923Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.9.8
Product normalization is registry-driven with AI assist and human review. How it works