Apache struts
This hub aggregates every CVE we track for Apache struts, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
92
CVEs tracked
23
Critical
30
High
8
In CISA KEV
Severity distribution
MEDIUM38HIGH30CRITICAL23LOW1
Monthly trend
0
0
0
0
0
1
0
0
0
1
0
0
0
0
0
0
0
2
1
0
0
0
0
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Apache struts.
- CVE-2025-68493Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component8.1
- CVE-2025-66675Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed8.2
- CVE-2025-64775Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS)7.5
- CVE-2025-29868Apache Answer: Using externally referenced images can leak user privacy.6.5
- CVE-2024-53677Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks9.8
- CVE-2023-50164Apache Struts: File upload component had a directory traversal vulnerability9.8
- CVE-2023-41835Apache Struts: excessive disk usage7.5
- CVE-2023-34396Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms4.3
- CVE-2023-34149Apache Struts: DoS via OOM owing to not properly checking of list bounds4.3
- CVE-2021-31805Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.9.8
- CVE-2020-26258Server-Side Forgery Request can be activated unmarshalling with XStream6.3
- CVE-2020-26259XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling6.8
- CVE-2020-17530Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.KEV9.8
- CVE-2019-0233An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.7.5
- CVE-2019-0230Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.9.8
Product normalization is registry-driven with AI assist and human review. How it works