CVE-2025-68493

EUVD-2026-1898
Missing XML Validation vulnerability in Apache Struts, Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

Users are recommended to upgrade to version 6.1.1, which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
apachestruts
2.0.0 ≤
𝑥
≤ 2.3.37
apachestruts
2.5.0 ≤
𝑥
≤ 2.5.33
apachestruts
6.0.0 ≤
𝑥
< 6.1.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cwiki.apache.org/confluence/display/WW/S2-069
http://www.openwall.com/lists/oss-security/2026/01/11/2