Org.apache.struts.xwork:xwork-core
This hub aggregates every CVE we track for Org.apache.struts.xwork:xwork-core, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
16
CVEs tracked
5
Critical
5
High
1
In CISA KEV
Severity distribution
MEDIUM6HIGH5CRITICAL5
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Org.apache.struts.xwork:xwork-core.
- CVE-2025-68493Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component8.1
- CVE-2016-4433Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.7.5
- CVE-2016-4430Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.8.8
- CVE-2015-1831The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.7.5
- CVE-2014-0094The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.5.0
- CVE-2013-2135Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to...9.3
- CVE-2013-2134Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vu...9.3
- CVE-2013-1966Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2...9.3
- CVE-2013-2115Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2...8.1
- CVE-2012-4387Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.5.0
- CVE-2012-0838Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently exe...10.0
- CVE-2012-0393The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted...6.4
- CVE-2012-0391The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which all...KEV9.8
- CVE-2012-0394The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor cha...6.8
- CVE-2012-0392The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie head...6.8
Product normalization is registry-driven with AI assist and human review. How it works