| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Known vulnerabilities affecting Struts products and systems
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2023-50164 | An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Use... | 9.8 | 690 | Viral | Yes |
| Yes |
| CVE-2023-41835 | When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are r... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2023-34396 | Denial of service via out of memory (OOM) owing to no sanity limit on normal form fields in multipart forms. When a Multipart request has non-file normal form fields, Struts used to bring them into me... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2023-34149 | Denial of service via out of memory (OOM) owing to not properly checking of list bounds. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings with... | 6.5 | 209 | Neutral | No | Yes |
| CVE-2021-31805 | The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluat... | 9.8 | 690 | Low | Yes | Yes |
| CVE-2020-26259 | ### Impact The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input strea... | 6.8 | 524 | Low | Yes | Yes |
| CVE-2020-26258 | ### Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. ### Patches If you re... | 7.7 | 646 | Neutral | Yes | Yes |
| CVE-2020-17530 | Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | 9.8 | 853 | Viral | Yes | Yes |
| CVE-2019-0233 | An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. | 7.5 | 386 | Neutral | No | Yes |
| CVE-2019-0230 | Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | 9.8 | 690 | Low | Yes | Yes |
| CVE-2018-1327 | The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Strut... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2018-11776 | Apache Struts contains a Remote Code Execution when using results with no namespace and it's upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, actio... | 8.1 | 670 | Viral | Yes | Yes |
| CVE-2017-9805 | The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can ... | 8.1 | 713 | Viral | Yes | Yes |
| CVE-2017-9804 | In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which w... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2017-9793 | The REST Plugin in Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specia... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2017-9791 | The Struts 1 plugin used with Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. | 9.8 | 776 | Low | Yes | Yes |
| CVE-2017-9787 | When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. | 0.0 | 0 | Neutral | No | Yes |
| CVE-2017-7672 | If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validatio... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2017-5638 | Apache Struts versions prior to 2.3.32 and 2.5.10.1 contain incorrect exception handling and error-message generation during file-upload attempts using the Jakarta Multipart parser, which allows remot... | 9.8 | 776 | Viral | Yes | Yes |
| CVE-2017-15707 | In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. | 0.0 | 0 | Neutral | No | Yes |