GHSA-qcfc-hmrc-59x7

Source

https://github.com/advisories/GHSA-qcfc-hmrc-59x7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-qcfc-hmrc-59x7/GHSA-qcfc-hmrc-59x7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qcfc-hmrc-59x7

Aliases

CVE-2025-68493

Published

2026-01-11T15:31:59Z

Modified

2026-01-16T19:41:30.672843Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator

Summary

Apache Struts 2 is Missing XML Validation

Details

Missing XML Validation vulnerability in Apache Struts, Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

Users are recommended to upgrade to version 6.1.1, which fixes the issue.

Database specific

{
    "nvd_published_at": "2026-01-11T13:15:45Z",
    "cwe_ids": [
        "CWE-112",
        "CWE-611"
    ],
    "github_reviewed_at": "2026-01-13T21:49:00Z",
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Maven

org.apache.struts:struts2-core

Package

Name: org.apache.struts:struts2-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.struts/struts2-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Last affected

2.3.37

Affected versions

2.*

2.0.5

2.0.6

2.0.8

2.0.9

2.0.11

2.0.11.1

2.0.11.2

2.0.12

2.0.14

2.1.2

2.1.6

2.1.8

2.1.8.1

2.2.1

2.2.1.1

2.2.3

2.2.3.1

2.3.1

2.3.1.1

2.3.1.2

2.3.3

2.3.4

2.3.4.1

2.3.7

2.3.8

2.3.12

2.3.14

2.3.14.1

2.3.14.2

2.3.14.3

2.3.15

2.3.15.1

2.3.15.2

2.3.15.3

2.3.16

2.3.16.1

2.3.16.2

2.3.16.3

2.3.20

2.3.20.1

2.3.20.3

2.3.24

2.3.24.1

2.3.24.3

2.3.28

2.3.28.1

2.3.29

2.3.30

2.3.31

2.3.32

2.3.33

2.3.34

2.3.35

2.3.36

2.3.37

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-qcfc-hmrc-59x7/GHSA-qcfc-hmrc-59x7.json"

org.apache.struts:struts2-core

Package

Name: org.apache.struts:struts2-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.struts/struts2-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Last affected

2.5.33

Affected versions

2.*

2.5

2.5.1

2.5.2

2.5.5

2.5.8

2.5.10

2.5.10.1

2.5.12

2.5.13

2.5.14

2.5.14.1

2.5.16

2.5.17

2.5.18

2.5.20

2.5.22

2.5.25

2.5.26

2.5.27

2.5.28

2.5.28.1

2.5.28.2

2.5.28.3

2.5.29

2.5.30

2.5.31

2.5.32

2.5.33

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-qcfc-hmrc-59x7/GHSA-qcfc-hmrc-59x7.json"

org.apache.struts:struts2-core

Package

Name: org.apache.struts:struts2-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.struts/struts2-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.1.1

Affected versions

6.*

6.0.0

6.0.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-qcfc-hmrc-59x7/GHSA-qcfc-hmrc-59x7.json"

com.opensymphony:xwork

Package

Name: com.opensymphony:xwork; View open source insights on deps.dev
Purl: pkg:maven/com.opensymphony/xwork

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Affected versions

2.*

2.0.4

2.0.5

2.0.6

2.0.7

2.1.0

2.1.1

2.1.2

2.1.3

Database specific

last_known_affected_version_range

"< 2.2.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-qcfc-hmrc-59x7/GHSA-qcfc-hmrc-59x7.json"

org.apache.struts.xwork:xwork-core

Package

Name: org.apache.struts.xwork:xwork-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.struts.xwork/xwork-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.1

Affected versions

2.*

2.2.1

2.2.1.1

2.2.3

2.2.3.1

2.3.1

2.3.1.1

2.3.1.2

2.3.3

2.3.4

2.3.4.1

2.3.7

2.3.8

2.3.12

2.3.14

2.3.14.1

2.3.14.2

2.3.14.3

2.3.15

2.3.15.1

2.3.15.2

2.3.15.3

2.3.16

2.3.16.1

2.3.16.2

2.3.16.3

2.3.20

2.3.20.1

2.3.20.3

2.3.24

2.3.24.1

2.3.24.3

2.3.28

2.3.28.1

2.3.29

2.3.30

2.3.31

2.3.32

2.3.33

2.3.34

2.3.35

2.3.36

2.3.37

Database specific

last_known_affected_version_range

"< 6.1.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-qcfc-hmrc-59x7/GHSA-qcfc-hmrc-59x7.json"