CVE-2018-11776

Apache Struts vulnerable to remote command execution (RCE) due to improper input validation

Description

Apache Struts contains a Remote Code Execution when using results with no namespace and it's upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, action set, and it's upper actions have no or wildcard namespace.

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

8.1

Severity

High

Ecosystem

Java

Publish Date

October 18, 2018

Modified Date

October 22, 2025

Score Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

Affected Versions