CVE-2016-3082
published 2016-04-26CVE-2016-3082: XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
20.83%
97.2th percentile
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
Affected
56 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/XSLAction.action
otherxslt.location=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Struts Local File Inclusion Attempt Inbound (CVE-2016-3082)"; flow:established,to_server; http.uri; content:"/XSLAction.action"; content:"xslt.location="; fast_pattern; reference:cve,2016-3082; classtype:attempted-admin; sid:2063344; rev:1; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2025_07_08, cve CVE_2016_3082, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect inbound HTTP requests targeting the XSLAction endpoint with a user-controlled 'xslt.location' parameter, which is the attack vector for arbitrary stylesheet injection and RCE. ↗
- →Monitor HTTP URI paths for '/XSLAction.action' combined with 'xslt.location=' in the query string as a high-confidence indicator of exploitation attempts.
- →The vulnerability is in XSLTResult; hunt for Struts 2 applications exposing XSLT-based actions where the stylesheet location is attacker-controllable via request parameters. ↗
- →Scan source packages and build artifacts for struts2*.jar files, as vulnerable jars may have been inadvertently included in downstream builds (e.g., via google-guice imports). ↗
- ·The vulnerability only manifests when XSLTResult is used and the stylesheet location is exposed as a request parameter. Applications not using XSLTResult or that restrict the location parameter are not directly exploitable. ↗
- ·Affected versions are Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1. Ensure version checks cover all three affected branches. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote Code Execution in Apache Struts
osv·2022-05-17
CVE-2016-3082 [CRITICAL] Remote Code Execution in Apache Struts
Remote Code Execution in Apache Struts
XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
GHSA
Remote Code Execution in Apache Struts
ghsa·2022-05-17
CVE-2016-3082 [CRITICAL] CWE-20 Remote Code Execution in Apache Struts
Remote Code Execution in Apache Struts
XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
Suricata
ET EXPLOIT Apache Struts Local File Inclusion Attempt Inbound (CVE-2016-3082)
suricata·2025-07-08·CVSS 9.8
CVE-2016-3082 [CRITICAL] ET EXPLOIT Apache Struts Local File Inclusion Attempt Inbound (CVE-2016-3082)
ET EXPLOIT Apache Struts Local File Inclusion Attempt Inbound (CVE-2016-3082)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Struts Local File Inclusion Attempt Inbound (CVE-2016-3082)"; flow:established,to_server; http.uri; content:"/XSLAction.action"; content:"xslt.location="; fast_pattern; reference:cve,2016-3082; classtype:attempted-admin; sid:2063344; rev:1; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2025_07_08, cve CVE_2016_3082, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target
No public exploits indexed.
2016-04-26
Published