org.apache.struts:struts2-core
Maven58 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.struts:struts2-corepage 2 of 2
- CVE-2020-17530CRITICALCVSS 9.8EG 9.8⚠ KEV✓ Fixed in 2.5.262020-12-11
vulnerable: 2.0.11 ... 2.5.8 (75 versions)
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
- CVE-2021-31805CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.5.302022-04-12
vulnerable: 2.0.11 ... 2.5.8 (82 versions)
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using…
- CVE-2023-34149MEDIUMCVSS 4.3EG 4.3✓ Fixed in 6.1.2.12023-06-14
vulnerable: 6.0.0, 6.0.3, 6.1.1, 6.1.2
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
- CVE-2023-34396MEDIUMCVSS 4.3EG 4.3✓ Fixed in 6.1.2.12023-06-14
vulnerable: 6.0.0, 6.0.3, 6.1.1, 6.1.2
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
- CVE-2023-41835HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.322023-12-05
vulnerable: 2.0.11 ... 2.5.8 (84 versions)
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions S…
- CVE-2023-50164CRITICALCVSS 9.8EG 9.8✓ Fixed in 6.3.0.22023-12-07
vulnerable: 6.0.0 ... 6.3.0.1 (9 versions)
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versio…
- CVE-2024-53677CRITICALCVSS 9.8EG 9.8✓ Fixed in 6.4.02024-12-11
vulnerable: 2.0.11 ... 6.3.0.2 (96 versions)
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execut…
- CVE-2025-64775HIGHCVSS 7.5EG 7.5✓ Fixed in 6.8.02025-12-01
vulnerable: 6.0.0 ... 6.7.4 (15 versions)
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to…
Check whether org.apache.struts:struts2-core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.struts:struts2-core CVEs against the assets you own.
Start Free Scan →