CVE-2025-68493

HIGH8.1EPSS 0.03%

Apache Struts 2 is Missing XML Validation

Published: 1/11/2026Modified: 2/3/2026

Description

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.

Affected packages (3)

Maven/com.opensymphony:xwork>= 2.0.0
Maven/org.apache.struts:struts2-core>= 2.0.0, <= 2.3.37
Maven/org.apache.struts.xwork:xwork-core>= 2.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68493
PATCHhttps://github.com/apache/struts
WEBhttps://cwiki.apache.org/confluence/display/WW/S2-069
WEBhttp://www.openwall.com/lists/oss-security/2026/01/11/2