Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/struts/struts@1.2.9
purl pkg:maven/struts/struts@1.2.9
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 10.0
Vulnerabilities affecting this package (9)
Vulnerability Summary Fixed by
VCID-4wwa-j9p2-9be1
Aliases:
CVE-2008-2025
GHSA-wcgx-2hvx-5cwr
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."
1.2.9-162.31.1
Affected by 0 other vulnerabilities.
VCID-dk2f-14xj-9bf8
Aliases:
CVE-2023-34396
GHSA-4g42-gqrg-4633
Apache Struts vulnerable to memory exhaustion Denial of service via out of memory (OOM) owing to no sanity limit on normal form fields in multipart forms. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to an OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater There are no reported fixed by versions.
VCID-g2gb-x2nh-2bgz
Aliases:
CVE-2012-1007
GHSA-9848-v244-962p
Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to `struts-examples/upload/upload-submit.do`, or the message parameter to (2) `struts-cookbook/processSimple.do` or (3) `struts-cookbook/processDyna.do`. There are no reported fixed by versions.
VCID-jjre-tuhb-4yat
Aliases:
CVE-2023-49735
GHSA-qw4h-3xjj-84cc
Apache Tiles: Unvalidated input may lead to path traversal and XXE The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. There are no reported fixed by versions.
VCID-nur4-1g8a-57ew
Aliases:
CVE-2014-0114
GHSA-p66x-2cv9-qq3v
Improper Input Validation Apache Commons BeanUtils does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the `ActionForm` object in Struts There are no reported fixed by versions.
VCID-ppuk-knqn-tfc6
Aliases:
CVE-2016-1182
GHSA-5ggr-mpgw-3mgx
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. There are no reported fixed by versions.
VCID-s3uq-35pj-byhy
Aliases:
CVE-2015-0899
GHSA-cvvx-r33m-v7pq
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. There are no reported fixed by versions.
VCID-vk8c-a1za-w3cd
Aliases:
CVE-2025-54656
GHSA-cx25-xg7c-xfm5
Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability ** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).  As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. There are no reported fixed by versions.
VCID-wqjz-93pk-pbg7
Aliases:
CVE-2016-1181
GHSA-7jw3-5q4w-89qg
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. There are no reported fixed by versions.
Vulnerabilities fixed by this package (3)
Vulnerability Summary Aliases
VCID-8dws-9ubs-qqcg Improper Input Validation in Apache Struts ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils. CVE-2006-1547
GHSA-7qwv-cwgj-c8rj
VCID-ffbg-tkyw-ufad Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message. CVE-2006-1548
GHSA-p3vw-fvwx-qcv5
VCID-v9xj-szyz-3ufy Apache Struts vulnerable to Improper Input Validation Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check. CVE-2006-1546
GHSA-vf8g-mpmw-qv87

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T22:44:35.309816+00:00 GitLab Importer Affected by VCID-jjre-tuhb-4yat https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2023-49735.yml 38.4.0
2026-04-16T21:52:18.467548+00:00 GitLab Importer Affected by VCID-s3uq-35pj-byhy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2015-0899.yml 38.4.0
2026-04-16T21:49:22.663899+00:00 GitLab Importer Affected by VCID-wqjz-93pk-pbg7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2016-1181.yml 38.4.0
2026-04-16T21:48:45.141200+00:00 GitLab Importer Affected by VCID-ppuk-knqn-tfc6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2016-1182.yml 38.4.0
2026-04-16T21:46:15.117116+00:00 GitLab Importer Fixing VCID-8dws-9ubs-qqcg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1547.yml 38.4.0
2026-04-16T21:46:07.470050+00:00 GitLab Importer Fixing VCID-ffbg-tkyw-ufad https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1548.yml 38.4.0
2026-04-16T21:46:04.800262+00:00 GitLab Importer Fixing VCID-v9xj-szyz-3ufy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1546.yml 38.4.0
2026-04-16T21:46:03.542511+00:00 GitLab Importer Affected by VCID-4wwa-j9p2-9be1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2008-2025.yml 38.4.0
2026-04-16T20:31:28.634619+00:00 GitLab Importer Affected by VCID-nur4-1g8a-57ew https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2014-0114.yml 38.4.0
2026-04-16T20:30:01.973352+00:00 GitLab Importer Affected by VCID-g2gb-x2nh-2bgz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2012-1007.yml 38.4.0
2026-04-12T00:04:11.815320+00:00 GitLab Importer Affected by VCID-jjre-tuhb-4yat https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2023-49735.yml 38.3.0
2026-04-11T23:08:04.650105+00:00 GitLab Importer Affected by VCID-s3uq-35pj-byhy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2015-0899.yml 38.3.0
2026-04-11T23:05:22.749301+00:00 GitLab Importer Affected by VCID-wqjz-93pk-pbg7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2016-1181.yml 38.3.0
2026-04-11T23:04:45.426594+00:00 GitLab Importer Affected by VCID-ppuk-knqn-tfc6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2016-1182.yml 38.3.0
2026-04-11T23:02:01.080961+00:00 GitLab Importer Fixing VCID-8dws-9ubs-qqcg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1547.yml 38.3.0
2026-04-11T23:01:53.942536+00:00 GitLab Importer Fixing VCID-ffbg-tkyw-ufad https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1548.yml 38.3.0
2026-04-11T23:01:50.708799+00:00 GitLab Importer Fixing VCID-v9xj-szyz-3ufy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1546.yml 38.3.0
2026-04-11T23:01:49.421469+00:00 GitLab Importer Affected by VCID-4wwa-j9p2-9be1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2008-2025.yml 38.3.0
2026-04-11T21:41:50.132603+00:00 GitLab Importer Affected by VCID-nur4-1g8a-57ew https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2014-0114.yml 38.3.0
2026-04-11T21:40:31.838505+00:00 GitLab Importer Affected by VCID-g2gb-x2nh-2bgz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2012-1007.yml 38.3.0
2026-04-07T04:58:19.356602+00:00 GHSA Importer Affected by VCID-vk8c-a1za-w3cd https://github.com/advisories/GHSA-cx25-xg7c-xfm5 38.1.0
2026-04-04T14:30:54.859844+00:00 GHSA Importer Affected by VCID-s3uq-35pj-byhy https://github.com/advisories/GHSA-cvvx-r33m-v7pq 38.1.0
2026-04-03T00:08:52.036914+00:00 GitLab Importer Affected by VCID-jjre-tuhb-4yat https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2023-49735.yml 38.1.0
2026-04-02T23:16:33.624644+00:00 GitLab Importer Affected by VCID-s3uq-35pj-byhy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2015-0899.yml 38.1.0
2026-04-02T23:13:37.695837+00:00 GitLab Importer Affected by VCID-wqjz-93pk-pbg7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2016-1181.yml 38.1.0
2026-04-02T23:13:02.259133+00:00 GitLab Importer Affected by VCID-ppuk-knqn-tfc6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2016-1182.yml 38.1.0
2026-04-02T23:10:29.031203+00:00 GitLab Importer Fixing VCID-8dws-9ubs-qqcg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1547.yml 38.1.0
2026-04-02T23:10:21.689526+00:00 GitLab Importer Fixing VCID-ffbg-tkyw-ufad https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1548.yml 38.1.0
2026-04-02T23:10:18.659125+00:00 GitLab Importer Fixing VCID-v9xj-szyz-3ufy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1546.yml 38.1.0
2026-04-02T23:10:17.394638+00:00 GitLab Importer Affected by VCID-4wwa-j9p2-9be1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2008-2025.yml 38.1.0
2026-04-02T21:56:01.898216+00:00 GitLab Importer Affected by VCID-nur4-1g8a-57ew https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2014-0114.yml 38.1.0
2026-04-02T21:54:36.148056+00:00 GitLab Importer Affected by VCID-g2gb-x2nh-2bgz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2012-1007.yml 38.1.0
2026-04-02T17:00:47.456897+00:00 GHSA Importer Affected by VCID-jjre-tuhb-4yat https://github.com/advisories/GHSA-qw4h-3xjj-84cc 38.1.0
2026-04-02T16:59:36.073199+00:00 GHSA Importer Affected by VCID-dk2f-14xj-9bf8 https://github.com/advisories/GHSA-4g42-gqrg-4633 38.1.0
2026-04-01T17:30:04.227382+00:00 GitLab Importer Affected by VCID-4wwa-j9p2-9be1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2008-2025.yml 38.0.0
2026-04-01T16:13:12.290752+00:00 GitLab Importer Affected by VCID-nur4-1g8a-57ew https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2014-0114.yml 38.0.0
2026-04-01T16:11:56.376605+00:00 GitLab Importer Affected by VCID-g2gb-x2nh-2bgz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2012-1007.yml 38.0.0
2026-04-01T16:01:29.265108+00:00 GHSA Importer Affected by VCID-wqjz-93pk-pbg7 https://github.com/advisories/GHSA-7jw3-5q4w-89qg 38.0.0
2026-04-01T16:01:28.912003+00:00 GHSA Importer Affected by VCID-ppuk-knqn-tfc6 https://github.com/advisories/GHSA-5ggr-mpgw-3mgx 38.0.0
2026-04-01T16:00:27.627355+00:00 GHSA Importer Fixing VCID-ffbg-tkyw-ufad https://github.com/advisories/GHSA-p3vw-fvwx-qcv5 38.0.0
2026-04-01T16:00:27.604157+00:00 GHSA Importer Fixing VCID-8dws-9ubs-qqcg https://github.com/advisories/GHSA-7qwv-cwgj-c8rj 38.0.0
2026-04-01T16:00:27.571426+00:00 GHSA Importer Fixing VCID-v9xj-szyz-3ufy https://github.com/advisories/GHSA-vf8g-mpmw-qv87 38.0.0
2026-04-01T13:11:45.141556+00:00 GithubOSV Importer Fixing VCID-v9xj-szyz-3ufy https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vf8g-mpmw-qv87/GHSA-vf8g-mpmw-qv87.json 38.0.0
2026-04-01T13:10:33.480075+00:00 GithubOSV Importer Fixing VCID-8dws-9ubs-qqcg https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7qwv-cwgj-c8rj/GHSA-7qwv-cwgj-c8rj.json 38.0.0
2026-04-01T13:07:46.673113+00:00 GithubOSV Importer Fixing VCID-ffbg-tkyw-ufad https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p3vw-fvwx-qcv5/GHSA-p3vw-fvwx-qcv5.json 38.0.0
2026-04-01T12:52:12.176520+00:00 GitLab Importer Affected by VCID-jjre-tuhb-4yat https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2023-49735.yml 38.0.0
2026-04-01T12:50:40.843575+00:00 GitLab Importer Affected by VCID-s3uq-35pj-byhy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2015-0899.yml 38.0.0
2026-04-01T12:50:21.589465+00:00 GitLab Importer Affected by VCID-wqjz-93pk-pbg7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2016-1181.yml 38.0.0
2026-04-01T12:50:16.850745+00:00 GitLab Importer Affected by VCID-ppuk-knqn-tfc6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2016-1182.yml 38.0.0
2026-04-01T12:49:59.267737+00:00 GitLab Importer Fixing VCID-8dws-9ubs-qqcg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1547.yml 38.0.0
2026-04-01T12:49:57.638026+00:00 GitLab Importer Fixing VCID-ffbg-tkyw-ufad https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1548.yml 38.0.0
2026-04-01T12:49:56.919467+00:00 GitLab Importer Fixing VCID-v9xj-szyz-3ufy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/struts/struts/CVE-2006-1546.yml 38.0.0