org.apache.struts.xwork:xwork-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.struts.xwork:xwork-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (16)
CVE-2012-0838 — CVSS 10.0 (critical): Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote…
CVE-2013-1966 — CVSS 9.3 (critical): Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled…
CVE-2013-2135 — CVSS 9.3 (critical): Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains…
CVE-2013-2134 — CVSS 9.3 (critical): Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not…
CVE-2016-4430 — CVSS 8.8 (high): Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery…
CVE-2025-68493 — CVSS 8.1 (high): Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache…
CVE-2013-2115 — CVSS 8.1 (high): Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled…
CVE-2016-4433 — CVSS 7.5 (high): Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via…
CVE-2015-1831 — CVSS 7.5 (high): The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an…
CVE-2012-0392 — CVSS 6.8 (medium): The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to…
CVE-2012-0394 — CVSS 6.8 (medium): The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute…
CVE-2012-0393 — CVSS 6.4 (medium): The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote…
CVE-2012-4387 — CVSS 5.0 (medium): Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which…
CVE-2014-0094 — CVSS 5.0 (medium): The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter…
CVE-2011-2088 — CVSS 5.0 (medium): XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive…