Preface: Many large, enterprise-level companies across various industries use or have used the open-source Apache Struts framework for building Java web applications. Companies using this framework must ensure they are on a currently supported version and apply security patches immediately.

Background: The Model-View-Controller (MVC) is a software architectural pattern used in Java and other programming languages to separate an application’s logic into three interconnected core components: the Model (data and business logic), the View (user interface), and the Controller (input handling and coordination).

This separation of concerns makes applications easier to manage, test, and scale by allowing developers to modify one part of the application without significantly affecting the others.

Apache Struts is a framework for building enterprise-level Java apps. It follows the Model-View-Controller (MVC) pattern. Struts helps maintain a clean code structure and scalability. The framework supports internationalization, making it ideal for multi-language apps. It integrates easily with other Java EE components like EJBs and JMS.

Vulnerability details: Missing XML Validation vulnerability in Apache Struts, Apache Struts.This CVE (based on its pattern and recent advisories) likely relates to remote code execution (RCE) or OGNL injection triggered by unsafe configurations or certain result types. If your configuration:

• Allows user-controlled parameters to influence OGNL expressions.
• Uses developer mode in production.
• Has wildcard mappings or dynamic method calls.

Official announcement: Please refer to the link for details –

https://www.tenable.com/cve/CVE-2025-68493

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

*Users are recommended to upgrade to version 6.1.1, which fixes the issue.