Missing XML Validation Vulnerability in Apache Struts by Apache
CVE-2025-68493

8.1HIGH

Key Information:

Vendor

Apache
Status
Apache Struts
Vendor
CVE Published:
11 January 2026

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-68493?

CVE-2025-68493 is a significant vulnerability identified in Apache Struts, an open-source framework widely used for building Java web applications. This vulnerability arises from the lack of adequate XML validation, which can pose severe risks to organizations utilizing this framework for their applications. An attacker could exploit this oversight by crafting malicious XML payloads that, when processed by the application, could lead to various adverse scenarios, including data corruption or unauthorized access to sensitive information. This vulnerability affects versions of Apache Struts starting from 2.0.0 up to 6.1.0, emphasizing the need for users to apply necessary updates to safeguard their systems.

Potential impact of CVE-2025-68493

  1. Data Integrity Risks: The absence of proper XML validation may allow malicious users to submit malformed data, leading to integrity breaches within the application. This can result in corrupted application states or data manipulation, which could compromise business operations.

  2. Unauthorized Access: By exploiting this vulnerability, attackers could gain unauthorized access to sensitive areas of the application. This could facilitate further attacks within the system, potentially leading to significant data breaches and misappropriation of confidential information.

  3. Operational Disruption: The exploitation of this vulnerability could lead to denial of service events or application crashes, disrupting normal business operations and affecting service availability. Organizations may face reputational damage and financial losses due to these disruptions.

Affected Version(s)

Apache Struts 2.0.0 < 2.2.1

Apache Struts 2.2.1 <= 6.1.0

News Articles

favicon imageSonatype

Years-Old Apache Struts2 Vulnerability Downloaded 325K+ Times in the Past Week

AI-discovered Apache Struts vulnerability CVE-2025-68493 is still widely used, with over 380,000 downloads of vulnerable versions in just one week.

23 hours ago

favicon imageCyber Security News

Critical Apache Struts 2 Vulnerability Allow Attackers to Steal Sensitive Data

XML external entity (XXE) injection flaw found in Apache Struts 2, exposing millions of applications to data theft and server compromise.

2 days ago

favicon imageRed Hot Cyber

Apache Struts 2 Vulnerability CVE-2025-68493 Exposes Sensitive Data

Discover the critical Apache Struts 2 vulnerability CVE-2025-68493 that exposes sensitive data. Learn how to protect your applications from data breaches and Denial-of-Service attacks.

3 days ago

References

https://cwiki.apache.org/confluence/display/WW/S2-069
vendor-advisory

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by gbhackers.com

  • Vulnerability published

  • Vulnerability Reserved

JSON
.