CVE-2016-3082Improper Input Validation in Apache Struts

CWE-20Improper Input Validation6 documents6 sources
Severity
9.8CRITICALNVD
EPSS
24.6%
top 3.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Struts
Timeline
PublishedApr 26
Latest updateJul 8

Description

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDapache/struts56 versions+55

Patches

Patch: struts.apache.orgPatch: struts.apache.org

🔴Vulnerability Details

3
OSV
Remote Code Execution in Apache Struts2022-05-17
GHSA
Remote Code Execution in Apache Struts2022-05-17
CVEList
CVE-2016-3082: XSLTResult in Apache Struts 22016-04-26

🔍Detection Rules

1
Suricata
ET EXPLOIT Apache Struts Local File Inclusion Attempt Inbound (CVE-2016-3082)2025-07-08

💬Community

1
Bugzilla
CVE-2016-3082 Struts2: XSLTResult can be used to parse arbitrary stylesheet (S2-031)2016-04-27
CVE-2016-3082 — Improper Input Validation in Apache | cvebase