anonhaven
Ad

CVE-2025-68493

HIGH CVSS 3.1: 8.1 EPSS 0.03%
Updated Jan 16, 2026
Apache
Parameter Value
CVSS 8.1 (HIGH)
Affected Versions 2.0.0 — 6.1.1
Fixed In 6.1.1
Type CWE-112, CWE-611
Vendor Apache
Public PoC No

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-112
CWE-611

Vulnerable Products 3

Configuration From (including) Up to (excluding)
Apache Struts
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
 2.0.0 <= 2.3.37
Apache Struts
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
 2.5.0 <= 2.5.33
Apache Struts
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
 6.0.0 6.1.1

References 2

https://cwiki.apache.org/confluence/display/WW/S2-069
security@apache.org
http://www.openwall.com/lists/oss-security/2026/01/11/2
af854a3a-2127-422b-91ae-364da2661108
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-25219

Apache

6.5

CVE-2025-54550

Apache

8.1

CVE-2026-31924

Apache

5.3

CVE-2026-31923

Apache

7.5

CVE-2026-31908

Apache

9.1