Primary

Context

Apache Struts Missing XML Validation Vulnerability Allowing XXE Injection

Vulnerability

Patched

A vulnerability allowing XML External Entity (XXE) injection has been identified in Apache Struts. This issue arises from improper XML validation in the XWork component, affecting versions 2.0.0 prior to 2.2.1 and 2.2.1 through 6.1.0. The vulnerability could lead to unauthorized data disclosure, denial of service, and server-side request forgery.

Impact

Exploitation of this vulnerability could result in XXE injection, allowing attackers to manipulate XML data processing. This could lead to unauthorized data access, denial of service, or server-side request forgery.

Remediation

Users are advised to upgrade to Apache Struts version 6.1.1 or later. For those unable to upgrade immediately, XXE injection can be mitigated by using a custom SAXParserFactory to disable external entities by default or by configuring the JVM's default XML parser to block external entities via system properties.

Added: Jan 11, 2026, 1:17 PM

Updated: Jan 11, 2026, 8:17 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

7.9

relevance

2.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

7.9

relevance

2.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Struts Missing XML Validation Vulnerability Allowing XXE Injection

Vulnerability

Impact

Remediation

Affected Products

Apache Struts

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating