2428559 – (CVE-2025-68493) CVE-2025-68493 org.apache.struts: Apache Struts: Information disclosure and denial of service via missing XML validation

Bug 2428559 (CVE-2025-68493) - CVE-2025-68493 org.apache.struts: Apache Struts: Information disclosure and denial of service via missing XML validation

Summary: CVE-2025-68493 org.apache.struts: Apache Struts: Information disclosure and d...

Keywords:
Status:	NEW
Alias:	CVE-2025-68493
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2428721 2428722
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-11 14:01 UTC by OSIDB Bzimport
Modified:	2026-01-12 18:12 UTC (History)
CC List:	56 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-11 14:01:17 UTC

Missing XML Validation vulnerability in Apache Struts, Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

Users are recommended to upgrade to version 6.1.1, which fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.

aschwart
asoldano
ataylor
bbaranow
bmaxwell
boliveir
brian.stansberry
ccranfor
chfoley
csutherl
darran.lofthouse
dbruscin
dhanak
dosoudil
drosa
dsoumis
fjuma
fmariani
gmalinko
ibek
istudens
ivassile
iweiss
janstey
jclere
jpechane
jrokos
jscholz
kvanderr
kverlaen
mnovotny
mosmerov
mposolda
msvehla
nwallace
pberan
pbizzarr
pdelbell
pesilva
pjindal
plodge
pmackay
rmartinc
rmaucher
rstancel
rstepani
sausingh
smaestri
ssilvert
sthorger
swoodman
szappis
tcunning
tom.jenkinson
vmuzikar
yfang