Apache Struts 2 is Missing XML Validation

GHSA-qcfc-hmrc-59x7 · CVE-2025-68493

Published Jan 11, 2026 · Modified Feb 3, 2026

Description

Missing XML Validation vulnerability in Apache Struts, Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

Users are recommended to upgrade to version 6.1.1, which fixes the issue.

8.1 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Introduced 2.0.0

8 affected versions

2.0.42.0.52.0.62.0.72.1.02.1.12.1.22.1.3

Introduced 2.2.1

42 affected versions

2.2.12.2.1.12.2.32.2.3.12.3.12.3.1.12.3.1.22.3.122.3.142.3.14.12.3.14.22.3.14.32.3.152.3.15.12.3.15.22.3.15.32.3.162.3.16.12.3.16.22.3.16.3 +22 more

Fix 6.1.1

Introduced 2.0.0, 2.5.0, 6.0.0

85 affected versions

2.0.112.0.11.12.0.11.22.0.122.0.142.0.52.0.62.0.82.0.92.1.22.1.62.1.82.1.8.12.2.12.2.1.12.2.32.2.3.12.3.12.3.1.12.3.1.2 +65 more

Ready to move

Free, no credit card | First findings in minutes