CVE-2025-68493

CWE-611XML External Entity (XXE)CWE-1127 documents7 sources
Severity
8.1HIGH
EPSS
0.0%
top 92.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache StrutsApache Struts
Timeline
PublishedJan 11
Latest updateJan 15

Description

Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages5 packages

NVDapache/struts6.0.06.1.1+2
Mavenorg.apache.struts:struts2-core6.0.06.1.1+2
CVEListV5apache_software_foundation/apache_struts2.0.02.2.1+1

🔴Vulnerability Details

3
OSV
Apache Struts 2 is Missing XML Validation2026-01-11
CVEList
Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component2026-01-11
GHSA
Apache Struts 2 is Missing XML Validation2026-01-11

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Apache Struts2 XWork Component XML External Entity (XXE) injection (CVE-2025-68493)2026-01-15

📋Vendor Advisories

1
Red Hat
org.apache.struts: Apache Struts: Information disclosure and denial of service via missing XML validation2026-01-11

🕵️Threat Intelligence

1
Wiz
CVE-2025-68493 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-68493 (HIGH CVSS 8.1) | Missing XML Validation vulnerabilit | cvebase.io