| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Known vulnerabilities affecting Struts products and systems
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2021-31805 | The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluat... | 9.8 | 690 | Low | Yes |
| Yes |
| CVE-2020-26259 | ### Impact The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input strea... | 6.8 | 524 | Low | Yes | Yes |
| CVE-2020-26258 | ### Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. ### Patches If you re... | 7.7 | 646 | Neutral | Yes | Yes |
| CVE-2020-17530 | Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | 9.8 | 853 | Viral | Yes | Yes |
| CVE-2019-0233 | An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. | 7.5 | 386 | Neutral | No | Yes |
| CVE-2019-0230 | Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | 9.8 | 690 | Low | Yes | Yes |
| CVE-2018-1327 | The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Strut... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2018-11776 | Apache Struts contains a Remote Code Execution when using results with no namespace and it's upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, actio... | 8.1 | 670 | Viral | Yes | Yes |
| CVE-2017-9805 | The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can ... | 8.1 | 713 | Viral | Yes | Yes |
| CVE-2017-9804 | In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which w... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2017-9793 | The REST Plugin in Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specia... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2017-9791 | The Struts 1 plugin used with Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. | 9.8 | 776 | Low | Yes | Yes |
| CVE-2017-9787 | When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. | 0.0 | 0 | Neutral | No | Yes |
| CVE-2017-7672 | If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validatio... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2017-5638 | Apache Struts versions prior to 2.3.32 and 2.5.10.1 contain incorrect exception handling and error-message generation during file-upload attempts using the Jakarta Multipart parser, which allows remot... | 9.8 | 776 | Viral | Yes | Yes |
| CVE-2017-15707 | In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. | 0.0 | 0 | Neutral | No | Yes |
| CVE-2017-12611 | In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. | 0.0 | 0 | Low | Yes | Yes |
| CVE-2016-8738 | If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validatio... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2016-6795 | In Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. This vulnera... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2016-4465 | The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.13 allows remote attackers to cause a denial of service via a null value for a URL field. | 0.0 | 0 | Neutral | No | Yes |