{"url":"http://public2.vulnerablecode.io/api/packages/299724?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.2.1.1","type":"maven","namespace":"org.apache.struts.xwork","name":"xwork-core","version":"2.2.1.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4582?format=json","vulnerability_id":"VCID-6241-shkt-s7ew","summary":"Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2134","reference_id":"","reference_type":"","scores":[{"value":"0.91526","scoring_system":"epss","scoring_elements":"0.99671","published_at":"2026-04-09T12:55:00Z"},{"value":"0.91526","scoring_system":"epss","scoring_elements":"0.9968","published_at":"2026-05-09T12:55:00Z"},{"value":"0.91526","scoring_system":"epss","scoring_elements":"0.99679","published_at":"2026-05-07T12:55:00Z"},{"value":"0.91526","scoring_system":"epss","scoring_elements":"0.99678","published_at":"2026-05-05T12:55:00Z"},{"value":"0.91526","scoring_system":"epss","scoring_elements":"0.99677","published_at":"2026-04-29T12:55:00Z"},{"value":"0.91526","scoring_system":"epss","scoring_elements":"0.99675","published_at":"2026-04-21T12:55:00Z"},{"value":"0.91526","scoring_system":"epss","scoring_elements":"0.99674","published_at":"2026-04-18T12:55:00Z"},{"value":"0.91526","scoring_system":"epss","scoring_elements":"0.99673","published_at":"2026-04-16T12:55:00Z"},{"value":"0.91526","scoring_system":"epss","scoring_elements":"0.99672","published_at":"2026-04-13T12:55:00Z"},{"value":"0.92052","scoring_system":"epss","scoring_elements":"0.99699","published_at":"2026-04-02T12:55:00Z"},{"value":"0.92052","scoring_system":"epss","scoring_elements":"0.99701","published_at":"2026-04-07T12:55:00Z"},{"value":"0.92052","scoring_system":"epss","scoring_elements":"0.997","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2134"},{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-015","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cwiki.apache.org/confluence/display/WW/S2-015"},{"reference_url":"http://security.gentoo.org/glsa/glsa-201409-04.xml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://security.gentoo.org/glsa/glsa-201409-04.xml"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e"},{"reference_url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e0","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e0"},{"reference_url":"https://github.com/apache/struts/commit/041206d2a693d02c0cb2e72765275e55ba14049f","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/041206d2a693d02c0cb2e72765275e55ba14049f"},{"reference_url":"https://github.com/apache/struts/commit/113c47082c09818bcef65acc436a2d0c7c47aa6c","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/113c47082c09818bcef65acc436a2d0c7c47aa6c"},{"reference_url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe"},{"reference_url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe3","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe3"},{"reference_url":"https://github.com/apache/struts/commit/711cf0201cdd319a38cf29238913312355db29ba","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/711cf0201cdd319a38cf29238913312355db29ba"},{"reference_url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa3"},{"reference_url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa37","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa37"},{"reference_url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c1"},{"reference_url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c16","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c16"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4090","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-4090"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4094","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-4094"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4095","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-4095"},{"reference_url":"http://struts.apache.org/development/2.x/docs/s2-015.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/development/2.x/docs/s2-015.html"},{"reference_url":"http://struts.apache.org/docs/s2-015.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-015.html"},{"reference_url":"https://web.archive.org/web/20140226173351/http://www.securityfocus.com/bid/60346","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140226173351/http://www.securityfocus.com/bid/60346"},{"reference_url":"https://web.archive.org/web/20140410223942/http://www.securityfocus.com/bid/64758","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140410223942/http://www.securityfocus.com/bid/64758"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"},{"reference_url":"http://www.securityfocus.com/bid/60346","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/60346"},{"reference_url":"http://www.securityfocus.com/bid/64758","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/64758"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2134","reference_id":"CVE-2013-2134","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:C/I:C/A:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2134"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/38549.txt","reference_id":"CVE-2013-2134;OSVDB-93969","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/38549.txt"},{"reference_url":"https://www.securityfocus.com/bid/60345/info","reference_id":"CVE-2013-2134;OSVDB-93969","reference_type":"exploit","scores":[],"url":"https://www.securityfocus.com/bid/60345/info"},{"reference_url":"https://github.com/advisories/GHSA-gqqm-564f-vvxq","reference_id":"GHSA-gqqm-564f-vvxq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqqm-564f-vvxq"},{"reference_url":"https://security.gentoo.org/glsa/201409-04","reference_id":"GLSA-201409-04","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201409-04"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54650?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.3.14.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kdsa-599r-eud7"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.14.3"}],"aliases":["CVE-2013-2134","GHSA-gqqm-564f-vvxq"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6241-shkt-s7ew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15817?format=json","vulnerability_id":"VCID-fu4h-rp1z-83eq","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nXWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2088.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2088.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2088","reference_id":"","reference_type":"","scores":[{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74585","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.7446","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74451","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74488","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74496","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74487","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74522","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74529","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74559","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74402","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74406","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74433","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74408","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.7444","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74458","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.7448","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2088"},{"reference_url":"http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html"},{"reference_url":"http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html","reference_id":"","reference_type":"","scores":[],"url":"http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html"},{"reference_url":"https://github.com/apache/struts/commit/885ab3459e146ff830d1f7257f809f4a3dd4493a","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/885ab3459e146ff830d1f7257f809f4a3dd4493a"},{"reference_url":"https://issues.apache.org/jira/browse/WW-3579","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-3579"},{"reference_url":"https://web.archive.org/web/20110726113612/http://www.ventuneac.net/security-advisories/MVSA-11-006","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20110726113612/http://www.ventuneac.net/security-advisories/MVSA-11-006"},{"reference_url":"https://web.archive.org/web/20201207174744/http://www.securityfocus.com/archive/1/518066/100/0/threaded","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201207174744/http://www.securityfocus.com/archive/1/518066/100/0/threaded"},{"reference_url":"http://www.securityfocus.com/archive/1/518066/100/0/threaded","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/archive/1/518066/100/0/threaded"},{"reference_url":"http://www.ventuneac.net/security-advisories/MVSA-11-006","reference_id":"","reference_type":"","scores":[],"url":"http://www.ventuneac.net/security-advisories/MVSA-11-006"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=723829","reference_id":"723829","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=723829"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:webwork:-:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:opensymphony:webwork:-:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:webwork:-:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:xwork:-:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:opensymphony:xwork:-:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:xwork:-:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:xwork:2.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:opensymphony:xwork:2.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensymphony:xwork:2.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2088","reference_id":"CVE-2011-2088","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2088"},{"reference_url":"https://github.com/advisories/GHSA-9ccm-g362-2r35","reference_id":"GHSA-9ccm-g362-2r35","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9ccm-g362-2r35"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55063?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/299725?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6241-shkt-s7ew"},{"vulnerability":"VCID-gv5f-auvz-5fda"},{"vulnerability":"VCID-hkjh-35ye-1ugj"},{"vulnerability":"VCID-kdsa-599r-eud7"},{"vulnerability":"VCID-nmgp-r7hb-5ke1"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-q96z-v3bs-k3dg"},{"vulnerability":"VCID-r28t-sdc5-kbga"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"},{"vulnerability":"VCID-vkb9-11h4-dugp"},{"vulnerability":"VCID-vnkw-9fa2-zqcm"},{"vulnerability":"VCID-z1gf-169n-m3af"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3"}],"aliases":["CVE-2011-2088","GHSA-9ccm-g362-2r35"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fu4h-rp1z-83eq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5069?format=json","vulnerability_id":"VCID-gv5f-auvz-5fda","summary":"The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.","references":[{"reference_url":"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0393.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0393.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0393","reference_id":"","reference_type":"","scores":[{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98226","published_at":"2026-05-09T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98196","published_at":"2026-04-02T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.982","published_at":"2026-04-04T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98201","published_at":"2026-04-07T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98206","published_at":"2026-04-08T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98207","published_at":"2026-04-09T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98209","published_at":"2026-04-13T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98215","published_at":"2026-04-24T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98216","published_at":"2026-04-29T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98214","published_at":"2026-04-21T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98222","published_at":"2026-05-07T12:55:00Z"},{"value":"0.58542","scoring_system":"epss","scoring_elements":"0.98193","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0393"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e"},{"reference_url":"https://github.com/apache/struts/commit/9cad25f258bb2629d263f828574d2671366c238d","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/9cad25f258bb2629d263f828574d2671366c238d"},{"reference_url":"http://struts.apache.org/2.x/docs/s2-008.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/2.x/docs/s2-008.html"},{"reference_url":"http://struts.apache.org/2.x/docs/version-notes-2311.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/2.x/docs/version-notes-2311.html"},{"reference_url":"https://web.archive.org/web/20120612142634/https://sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120612142634/https://sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"},{"reference_url":"https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393"},{"reference_url":"https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393/","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393/"},{"reference_url":"http://www.exploit-db.com/exploits/18329","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.exploit-db.com/exploits/18329"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=773164","reference_id":"773164","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=773164"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0393","reference_id":"CVE-2012-0393","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0393"},{"reference_url":"https://github.com/advisories/GHSA-hxqq-w4mr-mc62","reference_id":"GHSA-hxqq-w4mr-mc62","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hxqq-w4mr-mc62"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50524?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6241-shkt-s7ew"},{"vulnerability":"VCID-hkjh-35ye-1ugj"},{"vulnerability":"VCID-kdsa-599r-eud7"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-q96z-v3bs-k3dg"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"},{"vulnerability":"VCID-vkb9-11h4-dugp"},{"vulnerability":"VCID-vnkw-9fa2-zqcm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3.1"}],"aliases":["CVE-2012-0393","GHSA-hxqq-w4mr-mc62"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gv5f-auvz-5fda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4752?format=json","vulnerability_id":"VCID-hkjh-35ye-1ugj","summary":"Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-2115.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-2115.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2115","reference_id":"","reference_type":"","scores":[{"value":"0.87487","scoring_system":"epss","scoring_elements":"0.99454","published_at":"2026-04-01T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99473","published_at":"2026-05-07T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99472","published_at":"2026-05-09T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99471","published_at":"2026-04-24T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99469","published_at":"2026-04-21T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99468","published_at":"2026-04-16T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99465","published_at":"2026-04-13T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99464","published_at":"2026-04-11T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99463","published_at":"2026-04-09T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99462","published_at":"2026-04-08T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99461","published_at":"2026-04-07T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99459","published_at":"2026-04-04T12:55:00Z"},{"value":"0.8761","scoring_system":"epss","scoring_elements":"0.99457","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2115"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=967656","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=967656"},{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-013","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cwiki.apache.org/confluence/display/WW/S2-013"},{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-014","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cwiki.apache.org/confluence/display/WW/S2-014"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/d7804297e319c7a12245e1b536e565fcea6d650","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/d7804297e319c7a12245e1b536e565fcea6d650"},{"reference_url":"https://github.com/apache/struts/commit/d934c6e7430b7b98e43a0a085a2304bd31a75c3d","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/d934c6e7430b7b98e43a0a085a2304bd31a75c3d"},{"reference_url":"https://github.com/apache/struts/commit/ea96d18d0f75c390d2595648efa3563785c272c6","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/ea96d18d0f75c390d2595648efa3563785c272c6"},{"reference_url":"https://github.com/apache/struts/commit/fed4f8e8a4ec69b5e7612b92d8ce3e476680474","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/fed4f8e8a4ec69b5e7612b92d8ce3e476680474"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4063","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-4063"},{"reference_url":"http://struts.apache.org/development/2.x/docs/s2-014.html","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/development/2.x/docs/s2-014.html"},{"reference_url":"http://struts.apache.org/docs/s2-014.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-014.html"},{"reference_url":"https://web.archive.org/web/20140212000331/http://www.securityfocus.com/bid/60167","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140212000331/http://www.securityfocus.com/bid/60167"},{"reference_url":"http://www.securityfocus.com/bid/60167","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/60167"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2115","reference_id":"CVE-2013-2115","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:C/I:C/A:C"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2115"},{"reference_url":"https://github.com/advisories/GHSA-7ghm-rpc7-p7g5","reference_id":"GHSA-7ghm-rpc7-p7g5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7ghm-rpc7-p7g5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51812?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.3.14.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6241-shkt-s7ew"},{"vulnerability":"VCID-kdsa-599r-eud7"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"},{"vulnerability":"VCID-vnkw-9fa2-zqcm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.14.2"}],"aliases":["CVE-2013-2115","GHSA-7ghm-rpc7-p7g5"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hkjh-35ye-1ugj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4905?format=json","vulnerability_id":"VCID-kdsa-599r-eud7","summary":"The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to \"manipulate\" the ClassLoader via the class parameter, which is passed to the getClass method.","references":[{"reference_url":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045"},{"reference_url":"http://jvn.jp/en/jp/JVN19294237/index.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://jvn.jp/en/jp/JVN19294237/index.html"},{"reference_url":"http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0094.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0094.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0094","reference_id":"","reference_type":"","scores":[{"value":"0.93134","scoring_system":"epss","scoring_elements":"0.99794","published_at":"2026-04-04T12:55:00Z"},{"value":"0.93134","scoring_system":"epss","scoring_elements":"0.99799","published_at":"2026-04-29T12:55:00Z"},{"value":"0.93134","scoring_system":"epss","scoring_elements":"0.99798","published_at":"2026-05-09T12:55:00Z"},{"value":"0.93134","scoring_system":"epss","scoring_elements":"0.99796","published_at":"2026-04-13T12:55:00Z"},{"value":"0.93134","scoring_system":"epss","scoring_elements":"0.99795","published_at":"2026-04-08T12:55:00Z"},{"value":"0.93239","scoring_system":"epss","scoring_elements":"0.99808","published_at":"2026-05-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0094"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/2e2da292166adbc78c4cb1e308b30ddb4fba6d3f","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/2e2da292166adbc78c4cb1e308b30ddb4fba6d3f"},{"reference_url":"https://github.com/apache/struts/commit/6315241719be167542962da436b38782ed730c62","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/6315241719be167542962da436b38782ed730c62"},{"reference_url":"https://github.com/apache/struts/commit/74e26830d2849a84729b33497f729e0f033dc147","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/74e26830d2849a84729b33497f729e0f033dc147"},{"reference_url":"http://struts.apache.org/docs/s2-021.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-021.html"},{"reference_url":"http://struts.apache.org/release/2.3.x/docs/s2-020.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/release/2.3.x/docs/s2-020.html"},{"reference_url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0094","reference_id":"","reference_type":"","scores":[],"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0094"},{"reference_url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0113","reference_id":"","reference_type":"","scores":[],"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0113"},{"reference_url":"http://www-01.ibm.com/support/docview.wss?uid=swg21676706","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www-01.ibm.com/support/docview.wss?uid=swg21676706"},{"reference_url":"http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm"},{"reference_url":"http://www.konakart.com/downloads/ver-7-3-0-0-whats-new","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.konakart.com/downloads/ver-7-3-0-0-whats-new"},{"reference_url":"http://www.vmware.com/security/advisories/VMSA-2014-0007.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.vmware.com/security/advisories/VMSA-2014-0007.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1073716","reference_id":"1073716","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1073716"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0094","reference_id":"CVE-2014-0094","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0094"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/33142.rb","reference_id":"CVE-2014-0113;CVE-2014-0112;CVE-2014-0094;OSVDB-103918","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/33142.rb"},{"reference_url":"https://github.com/rapid7/metasploit-framework/blob/3123175ac75c38bec5165e01cda05e3b38287003/modules/exploits/multi/http/struts_code_exec_classloader.rb","reference_id":"CVE-2014-0114;CVE-2014-0112;CVE-2014-0094","reference_type":"exploit","scores":[],"url":"https://github.com/rapid7/metasploit-framework/blob/3123175ac75c38bec5165e01cda05e3b38287003/modules/exploits/multi/http/struts_code_exec_classloader.rb"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/41690.rb","reference_id":"CVE-2014-0114;CVE-2014-0112;CVE-2014-0094","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/41690.rb"},{"reference_url":"https://github.com/advisories/GHSA-vrwc-qjmw-5rjm","reference_id":"GHSA-vrwc-qjmw-5rjm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vrwc-qjmw-5rjm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55029?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.3.16.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.16.2"}],"aliases":["CVE-2014-0094","GHSA-vrwc-qjmw-5rjm"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kdsa-599r-eud7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4898?format=json","vulnerability_id":"VCID-nmgp-r7hb-5ke1","summary":"The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.","references":[{"reference_url":"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T20:07:52Z/"}],"url":"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0391.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0391.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0391","reference_id":"","reference_type":"","scores":[{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99502","published_at":"2026-05-07T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99501","published_at":"2026-05-05T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.995","published_at":"2026-04-24T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99499","published_at":"2026-04-21T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99498","published_at":"2026-04-18T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99497","published_at":"2026-04-16T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99495","published_at":"2026-04-12T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99494","published_at":"2026-04-13T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99493","published_at":"2026-04-09T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99492","published_at":"2026-04-07T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99488","published_at":"2026-04-02T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.9949","published_at":"2026-04-04T12:55:00Z"},{"value":"0.88319","scoring_system":"epss","scoring_elements":"0.99503","published_at":"2026-05-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0391"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e"},{"reference_url":"https://github.com/apache/struts/commit/5f54b8d087f5125d96838aafa5f64c2190e6885b","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/5f54b8d087f5125d96838aafa5f64c2190e6885b"},{"reference_url":"https://github.com/apache/struts/commit/b4265d369dc29d57a9f2846a85b26598e83f3892","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/b4265d369dc29d57a9f2846a85b26598e83f3892"},{"reference_url":"https://issues.apache.org/jira/browse/WW-3668","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T20:07:52Z/"}],"url":"https://issues.apache.org/jira/browse/WW-3668"},{"reference_url":"http://struts.apache.org/2.x/docs/s2-008.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T20:07:52Z/"}],"url":"http://struts.apache.org/2.x/docs/s2-008.html"},{"reference_url":"http://struts.apache.org/2.x/docs/version-notes-2311.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T20:07:52Z/"}],"url":"http://struts.apache.org/2.x/docs/version-notes-2311.html"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-0391","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-0391"},{"reference_url":"https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T20:07:52Z/"}],"url":"https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"},{"reference_url":"http://www.exploit-db.com/exploits/18329","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T20:07:52Z/"}],"url":"http://www.exploit-db.com/exploits/18329"},{"reference_url":"http://secunia.com/advisories/47393","reference_id":"47393","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-10T20:07:52Z/"}],"url":"http://secunia.com/advisories/47393"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=773159","reference_id":"773159","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=773159"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0391","reference_id":"CVE-2012-0391","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0391"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/18984.rb","reference_id":"CVE-2012-0391;OSVDB-78277","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/18984.rb"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/18329.txt","reference_id":"CVE-2012-0394;CVE-2012-0393;CVE-2012-0392;CVE-2012-0391;OSVDB-78277;OSVDB-78276;OSVDB-78109;OSVDB-78108","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/18329.txt"},{"reference_url":"https://github.com/advisories/GHSA-4wrr-9h5r-m92w","reference_id":"GHSA-4wrr-9h5r-m92w","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4wrr-9h5r-m92w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50524?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6241-shkt-s7ew"},{"vulnerability":"VCID-hkjh-35ye-1ugj"},{"vulnerability":"VCID-kdsa-599r-eud7"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-q96z-v3bs-k3dg"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"},{"vulnerability":"VCID-vkb9-11h4-dugp"},{"vulnerability":"VCID-vnkw-9fa2-zqcm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3.1"}],"aliases":["CVE-2012-0391","GHSA-4wrr-9h5r-m92w"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nmgp-r7hb-5ke1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4988?format=json","vulnerability_id":"VCID-p9xh-frm5-8ucp","summary":"The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to \"compromise internal state of an application\" via unspecified vectors.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-1831.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-1831.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-1831","reference_id":"","reference_type":"","scores":[{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.8922","published_at":"2026-05-09T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89175","published_at":"2026-04-24T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.8918","published_at":"2026-04-26T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89184","published_at":"2026-04-29T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89192","published_at":"2026-05-05T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89209","published_at":"2026-05-07T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89096","published_at":"2026-04-01T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89104","published_at":"2026-04-02T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89119","published_at":"2026-04-04T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89121","published_at":"2026-04-07T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89139","published_at":"2026-04-08T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89144","published_at":"2026-04-09T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89155","published_at":"2026-04-11T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89151","published_at":"2026-04-12T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89149","published_at":"2026-04-13T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89161","published_at":"2026-04-18T12:55:00Z"},{"value":"0.04514","scoring_system":"epss","scoring_elements":"0.89158","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-1831"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-1831","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-1831"},{"reference_url":"https://struts.apache.org/docs/s2-024.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://struts.apache.org/docs/s2-024.html"},{"reference_url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831","reference_id":"","reference_type":"","scores":[],"url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1831"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1222515","reference_id":"1222515","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1222515"},{"reference_url":"https://github.com/advisories/GHSA-q2cg-xf9p-h457","reference_id":"GHSA-q2cg-xf9p-h457","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q2cg-xf9p-h457"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83855?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.3.20.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-js22-usgt-8qd9"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-zc1y-ff37-nqat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.20.1"}],"aliases":["CVE-2015-1831","GHSA-q2cg-xf9p-h457"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p9xh-frm5-8ucp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4658?format=json","vulnerability_id":"VCID-q96z-v3bs-k3dg","summary":"Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-4387","reference_id":"","reference_type":"","scores":[{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92086","published_at":"2026-05-09T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.9204","published_at":"2026-04-13T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92043","published_at":"2026-04-11T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92044","published_at":"2026-04-12T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92059","published_at":"2026-04-16T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92056","published_at":"2026-04-18T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92054","published_at":"2026-04-21T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92058","published_at":"2026-04-24T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92057","published_at":"2026-04-26T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92053","published_at":"2026-04-29T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92064","published_at":"2026-05-05T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92078","published_at":"2026-05-07T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92003","published_at":"2026-04-01T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92011","published_at":"2026-04-02T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92019","published_at":"2026-04-04T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92024","published_at":"2026-04-07T12:55:00Z"},{"value":"0.07916","scoring_system":"epss","scoring_elements":"0.92037","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-4387"},{"reference_url":"http://secunia.com/advisories/50420","reference_id":"","reference_type":"","scores":[],"url":"http://secunia.com/advisories/50420"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/78183","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/78183"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/80e03182d66d9e6ab18f9a9a9b3c42725a1c89e9","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/80e03182d66d9e6ab18f9a9a9b3c42725a1c89e9"},{"reference_url":"https://github.com/apache/struts/commit/87935af56a27235e9399308ee1fcfb74f8edcefa","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/87935af56a27235e9399308ee1fcfb74f8edcefa"},{"reference_url":"https://issues.apache.org/jira/browse/WW-3860","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-3860"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-4387","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:N/I:N/A:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-4387"},{"reference_url":"http://struts.apache.org/2.x/docs/s2-011.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/2.x/docs/s2-011.html"},{"reference_url":"http://struts.apache.org/docs/s2-011.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-011.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/09/01/4","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2012/09/01/4"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/09/01/5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2012/09/01/5"},{"reference_url":"http://www.securityfocus.com/bid/55346","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/55346"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-hrgc-54mv-58gv","reference_id":"GHSA-hrgc-54mv-58gv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hrgc-54mv-58gv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83972?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.3.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6241-shkt-s7ew"},{"vulnerability":"VCID-hkjh-35ye-1ugj"},{"vulnerability":"VCID-kdsa-599r-eud7"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"},{"vulnerability":"VCID-vkb9-11h4-dugp"},{"vulnerability":"VCID-vnkw-9fa2-zqcm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.4.1"}],"aliases":["CVE-2012-4387","GHSA-hrgc-54mv-58gv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q96z-v3bs-k3dg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4615?format=json","vulnerability_id":"VCID-r28t-sdc5-kbga","summary":"The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.","references":[{"reference_url":"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0392.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0392.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0392","reference_id":"","reference_type":"","scores":[{"value":"0.74968","scoring_system":"epss","scoring_elements":"0.98888","published_at":"2026-05-09T12:55:00Z"},{"value":"0.74968","scoring_system":"epss","scoring_elements":"0.98887","published_at":"2026-05-07T12:55:00Z"},{"value":"0.74968","scoring_system":"epss","scoring_elements":"0.98886","published_at":"2026-05-05T12:55:00Z"},{"value":"0.74968","scoring_system":"epss","scoring_elements":"0.98883","published_at":"2026-04-29T12:55:00Z"},{"value":"0.85099","scoring_system":"epss","scoring_elements":"0.99346","published_at":"2026-04-02T12:55:00Z"},{"value":"0.85099","scoring_system":"epss","scoring_elements":"0.99348","published_at":"2026-04-04T12:55:00Z"},{"value":"0.85099","scoring_system":"epss","scoring_elements":"0.99349","published_at":"2026-04-07T12:55:00Z"},{"value":"0.85099","scoring_system":"epss","scoring_elements":"0.99351","published_at":"2026-04-09T12:55:00Z"},{"value":"0.85099","scoring_system":"epss","scoring_elements":"0.99353","published_at":"2026-04-11T12:55:00Z"},{"value":"0.85099","scoring_system":"epss","scoring_elements":"0.99355","published_at":"2026-04-13T12:55:00Z"},{"value":"0.85099","scoring_system":"epss","scoring_elements":"0.99357","published_at":"2026-04-21T12:55:00Z"},{"value":"0.85099","scoring_system":"epss","scoring_elements":"0.99359","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0392"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e"},{"reference_url":"https://github.com/apache/struts/commit/34c80dae734e70f13c0e46f9c83602fb71318e58","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/34c80dae734e70f13c0e46f9c83602fb71318e58"},{"reference_url":"https://lists.immunityinc.com/pipermail/dailydave/2012-January/000011.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.immunityinc.com/pipermail/dailydave/2012-January/000011.html"},{"reference_url":"http://struts.apache.org/2.x/docs/s2-008.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/2.x/docs/s2-008.html"},{"reference_url":"http://struts.apache.org/2.x/docs/version-notes-2311.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/2.x/docs/version-notes-2311.html"},{"reference_url":"https://web.archive.org/web/20120612142634/https://sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120612142634/https://sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"},{"reference_url":"https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393"},{"reference_url":"https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393/","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20140723153720/http://secunia.com/advisories/47393/"},{"reference_url":"http://www.exploit-db.com/exploits/18329","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.exploit-db.com/exploits/18329"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=773162","reference_id":"773162","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=773162"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0392","reference_id":"CVE-2012-0392","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0392"},{"reference_url":"https://github.com/advisories/GHSA-2ppp-xj34-vvf7","reference_id":"GHSA-2ppp-xj34-vvf7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2ppp-xj34-vvf7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50524?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6241-shkt-s7ew"},{"vulnerability":"VCID-hkjh-35ye-1ugj"},{"vulnerability":"VCID-kdsa-599r-eud7"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-q96z-v3bs-k3dg"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"},{"vulnerability":"VCID-vkb9-11h4-dugp"},{"vulnerability":"VCID-vnkw-9fa2-zqcm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3.1"}],"aliases":["CVE-2012-0392","GHSA-2ppp-xj34-vvf7"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r28t-sdc5-kbga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20221?format=json","vulnerability_id":"VCID-tgd1-s1yg-9fdt","summary":"Apache Struts 2 is Missing XML Validation\nMissing XML Validation vulnerability in Apache Struts, Apache Struts.\n\nThis issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.\n\nUsers are recommended to upgrade to version 6.1.1, which fixes the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68493.json","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68493.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68493","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07799","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07676","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.0766","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07585","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07572","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07712","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07661","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07638","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07607","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07588","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07728","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07598","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.0764","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07615","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07673","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07691","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.0769","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68493"},{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-069","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-12T13:52:42Z/"}],"url":"https://cwiki.apache.org/confluence/display/WW/S2-069"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68493","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68493"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/01/11/2","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/01/11/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2428559","reference_id":"2428559","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2428559"},{"reference_url":"https://github.com/advisories/GHSA-qcfc-hmrc-59x7","reference_id":"GHSA-qcfc-hmrc-59x7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qcfc-hmrc-59x7"}],"fixed_packages":[],"aliases":["CVE-2025-68493","GHSA-qcfc-hmrc-59x7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tgd1-s1yg-9fdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5128?format=json","vulnerability_id":"VCID-ufcq-57q9-53c7","summary":"The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors.  NOTE: the vendor characterizes this behavior as not \"a security vulnerability itself.","references":[{"reference_url":"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0394.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0394.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0394","reference_id":"","reference_type":"","scores":[{"value":"0.92567","scoring_system":"epss","scoring_elements":"0.99747","published_at":"2026-05-07T12:55:00Z"},{"value":"0.92567","scoring_system":"epss","scoring_elements":"0.99746","published_at":"2026-05-09T12:55:00Z"},{"value":"0.92567","scoring_system":"epss","scoring_elements":"0.99745","published_at":"2026-04-24T12:55:00Z"},{"value":"0.92567","scoring_system":"epss","scoring_elements":"0.99743","published_at":"2026-04-21T12:55:00Z"},{"value":"0.92567","scoring_system":"epss","scoring_elements":"0.99742","published_at":"2026-04-18T12:55:00Z"},{"value":"0.92567","scoring_system":"epss","scoring_elements":"0.99741","published_at":"2026-04-13T12:55:00Z"},{"value":"0.92567","scoring_system":"epss","scoring_elements":"0.99739","published_at":"2026-04-04T12:55:00Z"},{"value":"0.92567","scoring_system":"epss","scoring_elements":"0.99738","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0394"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/34c80dae734e70f13c0e46f9c83602fb71318e58","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/34c80dae734e70f13c0e46f9c83602fb71318e58"},{"reference_url":"https://github.com/apache/struts/commit/9cad25f258bb2629d263f828574d2671366c238d","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/9cad25f258bb2629d263f828574d2671366c238d"},{"reference_url":"https://issues.apache.org/jira/browse/WW-3729","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-3729"},{"reference_url":"http://struts.apache.org/2.x/docs/s2-008.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/2.x/docs/s2-008.html"},{"reference_url":"http://struts.apache.org/2.x/docs/version-notes-2311.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/2.x/docs/version-notes-2311.html"},{"reference_url":"https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"},{"reference_url":"http://www.exploit-db.com/exploits/18329","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.exploit-db.com/exploits/18329"},{"reference_url":"http://www.exploit-db.com/exploits/31434","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.exploit-db.com/exploits/31434"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=773167","reference_id":"773167","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=773167"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0394","reference_id":"CVE-2012-0394","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0394"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/remote/31434.rb","reference_id":"CVE-2012-0394;OSVDB-78276","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/remote/31434.rb"},{"reference_url":"https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt","reference_id":"CVE-2012-0394;OSVDB-78276","reference_type":"exploit","scores":[],"url":"https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"},{"reference_url":"https://github.com/advisories/GHSA-hmvj-gc9q-mg9p","reference_id":"GHSA-hmvj-gc9q-mg9p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hmvj-gc9q-mg9p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50521?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.3.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.18"},{"url":"http://public2.vulnerablecode.io/api/packages/299743?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.3.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-js22-usgt-8qd9"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-zc1y-ff37-nqat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.20"}],"aliases":["CVE-2012-0394","GHSA-hmvj-gc9q-mg9p"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ufcq-57q9-53c7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4652?format=json","vulnerability_id":"VCID-vkb9-11h4-dugp","summary":"Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-1966.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-1966.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-1966","reference_id":"","reference_type":"","scores":[{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.99652","published_at":"2026-05-09T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.99643","published_at":"2026-04-12T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.99644","published_at":"2026-04-16T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.99646","published_at":"2026-04-18T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.99647","published_at":"2026-04-21T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.99648","published_at":"2026-04-24T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.99649","published_at":"2026-04-26T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.9965","published_at":"2026-04-29T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.99651","published_at":"2026-05-05T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.99641","published_at":"2026-04-04T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.9964","published_at":"2026-04-02T12:55:00Z"},{"value":"0.91096","scoring_system":"epss","scoring_elements":"0.99642","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-1966"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=967656","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=967656"},{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-013","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cwiki.apache.org/confluence/display/WW/S2-013"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/7e6f641ebb142663cbd1653dc49bed725edf7f56","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/7e6f641ebb142663cbd1653dc49bed725edf7f56"},{"reference_url":"http://struts.apache.org/development/2.x/docs/s2-013.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/development/2.x/docs/s2-013.html"},{"reference_url":"http://struts.apache.org/docs/s2-013.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-013.html"},{"reference_url":"http://struts.apache.org/docs/s2-014.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-014.html"},{"reference_url":"http://www.securityfocus.com/bid/60166","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/60166"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-1966","reference_id":"CVE-2013-1966","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:C/I:C/A:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-1966"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/25980.rb","reference_id":"CVE-2013-2115;OSVDB-93645;CVE-2013-1966","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/25980.rb"},{"reference_url":"https://github.com/advisories/GHSA-737w-mh58-cxjp","reference_id":"GHSA-737w-mh58-cxjp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-737w-mh58-cxjp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51812?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.3.14.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6241-shkt-s7ew"},{"vulnerability":"VCID-kdsa-599r-eud7"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"},{"vulnerability":"VCID-vnkw-9fa2-zqcm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.14.2"}],"aliases":["CVE-2013-1966","GHSA-737w-mh58-cxjp"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vkb9-11h4-dugp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4544?format=json","vulnerability_id":"VCID-vnkw-9fa2-zqcm","summary":"Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both \"${}\" and \"%{}\" sequences, which causes the OGNL code to be evaluated twice.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2135","reference_id":"","reference_type":"","scores":[{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99245","published_at":"2026-04-01T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99268","published_at":"2026-05-09T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99267","published_at":"2026-05-07T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99266","published_at":"2026-05-05T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99262","published_at":"2026-04-29T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99261","published_at":"2026-04-26T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99258","published_at":"2026-04-21T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99257","published_at":"2026-04-18T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.9925","published_at":"2026-04-04T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99247","published_at":"2026-04-02T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99256","published_at":"2026-04-12T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99255","published_at":"2026-04-13T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99254","published_at":"2026-04-08T12:55:00Z"},{"value":"0.83013","scoring_system":"epss","scoring_elements":"0.99253","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2135"},{"reference_url":"https://cwiki.apache.org/confluence/display/WW/S2-015","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cwiki.apache.org/confluence/display/WW/S2-015"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e"},{"reference_url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e0","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/01e6b251b4db78bfb7971033652e81d1af4cb3e0"},{"reference_url":"https://github.com/apache/struts/commit/041206d2a693d02c0cb2e72765275e55ba14049f","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/041206d2a693d02c0cb2e72765275e55ba14049f"},{"reference_url":"https://github.com/apache/struts/commit/113c47082c09818bcef65acc436a2d0c7c47aa6c","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/113c47082c09818bcef65acc436a2d0c7c47aa6c"},{"reference_url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe"},{"reference_url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe3","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/54e5c912ebd9a1599bfcf7a719da17c28127bbe3"},{"reference_url":"https://github.com/apache/struts/commit/711cf0201cdd319a38cf29238913312355db29ba","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/711cf0201cdd319a38cf29238913312355db29ba"},{"reference_url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa3"},{"reference_url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa37","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/8b4fc81daeea3834bcbf73de5f48d0021917aa37"},{"reference_url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c1"},{"reference_url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c16","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/cfb6e9afbae320a4dd5bdd655154ab9fe5a92c16"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4090","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-4090"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4094","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-4094"},{"reference_url":"https://issues.apache.org/jira/browse/WW-4095","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-4095"},{"reference_url":"http://struts.apache.org/development/2.x/docs/s2-015.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/development/2.x/docs/s2-015.html"},{"reference_url":"http://struts.apache.org/docs/s2-015.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-015.html"},{"reference_url":"https://web.archive.org/web/20140410223942/http://www.securityfocus.com/bid/64758","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20140410223942/http://www.securityfocus.com/bid/64758"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html"},{"reference_url":"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html"},{"reference_url":"http://www.securityfocus.com/bid/64758","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/64758"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2135","reference_id":"CVE-2013-2135","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:C/I:C/A:C"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2135"},{"reference_url":"https://github.com/advisories/GHSA-pw8r-x2qm-3h5m","reference_id":"GHSA-pw8r-x2qm-3h5m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pw8r-x2qm-3h5m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54650?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.3.14.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-kdsa-599r-eud7"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.3.14.3"}],"aliases":["CVE-2013-2135","GHSA-pw8r-x2qm-3h5m"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vnkw-9fa2-zqcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5020?format=json","vulnerability_id":"VCID-z1gf-169n-m3af","summary":"Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.","references":[{"reference_url":"http://jvndb.jvn.jp/jvndb/JVNDB-2012-000012","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2012-000012"},{"reference_url":"http://jvn.jp/en/jp/JVN79099262/index.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://jvn.jp/en/jp/JVN79099262/index.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0838.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0838.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0838","reference_id":"","reference_type":"","scores":[{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93525","published_at":"2026-05-09T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93451","published_at":"2026-04-08T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93455","published_at":"2026-04-09T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.9346","published_at":"2026-04-12T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93461","published_at":"2026-04-13T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93481","published_at":"2026-04-16T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93486","published_at":"2026-04-18T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93492","published_at":"2026-04-21T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93496","published_at":"2026-04-24T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93493","published_at":"2026-04-29T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.935","published_at":"2026-05-05T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93514","published_at":"2026-05-07T12:55:00Z"},{"value":"0.11109","scoring_system":"epss","scoring_elements":"0.93443","published_at":"2026-04-07T12:55:00Z"},{"value":"0.13997","scoring_system":"epss","scoring_elements":"0.94295","published_at":"2026-04-01T12:55:00Z"},{"value":"0.13997","scoring_system":"epss","scoring_elements":"0.94315","published_at":"2026-04-04T12:55:00Z"},{"value":"0.13997","scoring_system":"epss","scoring_elements":"0.94304","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0838"},{"reference_url":"https://github.com/apache/struts","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts"},{"reference_url":"https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e"},{"reference_url":"https://github.com/apache/struts/commit/5f54b8d087f5125d96838aafa5f64c2190e6885b","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/5f54b8d087f5125d96838aafa5f64c2190e6885b"},{"reference_url":"https://github.com/apache/struts/commit/b4265d369dc29d57a9f2846a85b26598e83f3892","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/struts/commit/b4265d369dc29d57a9f2846a85b26598e83f3892"},{"reference_url":"https://issues.apache.org/jira/browse/WW-3668","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/WW-3668"},{"reference_url":"http://struts.apache.org/2.3.1.2/docs/s2-007.html","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://struts.apache.org/2.3.1.2/docs/s2-007.html"},{"reference_url":"http://struts.apache.org/docs/s2-007.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-007.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=799980","reference_id":"799980","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=799980"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0838","reference_id":"CVE-2012-0838","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0838"},{"reference_url":"https://github.com/advisories/GHSA-mwrx-hx6x-3hhv","reference_id":"GHSA-mwrx-hx6x-3hhv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mwrx-hx6x-3hhv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50524?format=json","purl":"pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6241-shkt-s7ew"},{"vulnerability":"VCID-hkjh-35ye-1ugj"},{"vulnerability":"VCID-kdsa-599r-eud7"},{"vulnerability":"VCID-p9xh-frm5-8ucp"},{"vulnerability":"VCID-q96z-v3bs-k3dg"},{"vulnerability":"VCID-tgd1-s1yg-9fdt"},{"vulnerability":"VCID-ufcq-57q9-53c7"},{"vulnerability":"VCID-vkb9-11h4-dugp"},{"vulnerability":"VCID-vnkw-9fa2-zqcm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.2.3.1"}],"aliases":["CVE-2012-0838","GHSA-mwrx-hx6x-3hhv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z1gf-169n-m3af"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts.xwork/xwork-core@2.2.1.1"}