{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68493", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-12-19T06:50:08.538Z", "datePublished": "2026-01-11T13:05:36.894Z", "dateUpdated": "2026-01-12T13:52:58.210Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "com.opensymphony:xwork", "product": "Apache Struts", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.2.1", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.struts.xwork:xwork-core", "product": "Apache Struts", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "6.1.0", "status": "affected", "version": "2.2.1", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Missing XML Validation vulnerability in Apache Struts, Apache Struts.</p><p>This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.</p><p>Users are recommended to upgrade to version 6.1.1, which fixes the issue.</p>"}], "value": "Missing XML Validation vulnerability in Apache Struts, Apache Struts.\n\nThis issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.\n\nUsers are recommended to upgrade to version 6.1.1, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-112", "description": "CWE-112 Missing XML Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-01-11T13:05:36.894Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://cwiki.apache.org/confluence/display/WW/S2-069"}], "source": {"advisory": "S2-069", "discovery": "UNKNOWN"}, "title": "Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/01/11/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-11T20:04:11.757Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T13:52:42.349951Z", "id": "CVE-2025-68493", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T13:52:58.210Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68493", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T13:52:42.349951Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-01-12T13:52:54.141Z"}}], "cna": {"title": "Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component", "source": {"advisory": "S2-069", "discovery": "UNKNOWN"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Struts", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.2.1", "versionType": "semver"}], "packageName": "com.opensymphony:xwork", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache Struts", "versions": [{"status": "affected", "version": "2.2.1", "versionType": "semver", "lessThanOrEqual": "6.1.0"}], "packageName": "org.apache.struts.xwork:xwork-core", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://cwiki.apache.org/confluence/display/WW/S2-069", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing XML Validation vulnerability in Apache Struts, Apache Struts.\n\nThis issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.\n\nUsers are recommended to upgrade to version 6.1.1, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Missing XML Validation vulnerability in Apache Struts, Apache Struts.</p><p>This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.</p><p>Users are recommended to upgrade to version 6.1.1, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-112", "description": "CWE-112 Missing XML Validation"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-01-11T13:05:36.894Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68493", "state": "PUBLISHED", "dateUpdated": "2026-01-11T20:04:11.757Z", "dateReserved": "2025-12-19T06:50:08.538Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-01-11T13:05:36.894Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing XML Validation vulnerability in Apache Struts, Apache Struts.\n\nThis issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.\n\nUsers are recommended to upgrade to version 6.1.1, which fixes the issue."}], "id": "CVE-2025-68493", "lastModified": "2026-01-13T14:03:18.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-11T13:15:45.610", "references": [{"source": "security@apache.org", "url": "https://cwiki.apache.org/confluence/display/WW/S2-069"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/01/11/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-112"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "org.apache.struts: Apache Struts: Information disclosure and denial of service via missing XML validation", "id": "2428559", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428559"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "status": "draft"}, "cwe": "CWE-112", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-68493", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "javapackages-tools:201801/google-guice", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Under investigation", "package_name": "struts2-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Under investigation", "package_name": "struts2-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Under investigation", "package_name": "struts2-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-01-11T13:05:36Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68493\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68493\nhttps://cwiki.apache.org/confluence/display/WW/S2-069\nhttps://github.com/apache/struts/pull/628\nhttps://issues.apache.org/jira/browse/WW-5252"], "threat_severity": "Important"}