Where Can I Find Detailed Information and Patches for Apache Struts Vulnerabilities?

Apache Struts continues to power many enterprise web applications. Because of its widespread adoption, vulnerabilities in Struts receive significant scrutiny from both security researchers and attackers.

If you are maintaining Struts applications in 2026, knowing where to find authoritative vulnerability information—and how to obtain patches—is essential for security and compliance.

Below is a structured guide to the most reliable sources.

‍

Primary Official Sources

When researching Apache Struts vulnerabilities, always begin with official project resources.

Apache Struts Security Bulletins

The Apache Struts Security Bulletins page is the primary source for all security announcements. Bulletins are labeled as S2-### (for example, S2-067).

Each bulletin typically includes:

• A description of the vulnerability
  
• Affected versions
  
• Severity and impact details
  
• Recommended mitigation steps
  
• Upgrade guidance
  
  

This should be your first reference when a new vulnerability is disclosed.

Apache Wiki (Security Advisories)

The Apache Wiki hosts detailed technical advisories for specific vulnerabilities.

For example, documentation covering S2-067 (CVE-2024-53677) provides additional implementation details and context that may not appear in the initial bulletin. These write-ups are particularly useful for engineering teams evaluating risk exposure and remediation effort.

Apache Struts Download Page

Security fixes are typically delivered through new framework releases rather than standalone patch files.

The official Apache Struts Download Page provides access to the latest supported and secure versions. In most cases, upgrading to the most recent supported release is the recommended remediation path.

‍

Public Vulnerability Databases

Official project documentation should be supplemented with standardized vulnerability databases.

National Vulnerability Database (NVD)

The National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) provides:

• Standardized Common Vulnerabilities and Exposures (CVE) records
  
• Common Vulnerability Scoring System (CVSS) severity scores
  
• Impact analysis
  
• References to upstream advisories
  
  

Searching for “Apache Struts” or a specific CVE ID allows teams to document severity and compliance impact.

CVE.org

The CVE Program website (CVE.org) allows you to track individual vulnerability identifiers, such as:

• CVE-2025-66675
  
• CVE-2024-53677
  
  

This is particularly useful when security scanners or audit reports reference CVE numbers directly.

‍

What About End-of-Life Versions?

A critical consideration is lifecycle status.

Official patches are generally not released for end-of-life (EOL) versions of Struts, including older 2.x lines. Once a version reaches EOL, newly disclosed vulnerabilities are typically not backported upstream.

For organizations running legacy systems, this creates a gap:

• Security scanners continue to flag vulnerabilities
  
• No official patch is released
  
• Compliance and operational pressure increases
  
  

In these cases, organizations must either upgrade to a supported release or establish a supported remediation strategy for their existing version.

HeroDevs provides Never-Ending Support (NES) for end-of-life Apache Struts versions. NES delivers ongoing CVE remediation and drop-in security updates, allowing organizations to maintain security and compliance while planning modernization deliberately.

‍

Key Recommendations for 2026

Based on recent disclosures and security guidance:

Upgrade to Supported Versions

Organizations should upgrade to:

• Struts 6.4.0
  
• Struts 7.0.x (and later releases)
  
  

These versions address critical vulnerabilities, including file upload flaws and remote code execution (RCE) risks.

Migrate Deprecated File Upload Mechanisms

Recent security bulletins recommend migrating from the deprecated FileUploadInterceptor to the more secure ActionFileUploadInterceptor.

Upgrading framework versions without updating deprecated components may leave applications exposed.

‍

A Structured Approach to Struts Security

To manage Apache Struts vulnerabilities effectively:

1. Monitor official Struts Security Bulletins.
   
2. Track CVE disclosures through NVD and CVE.org.
   
3. Stay on supported framework versions whenever possible.
   
4. Establish a documented strategy for handling end-of-life versions.
   
   

Apache Struts remains widely deployed because it is stable and capable. The key is ensuring that stability is matched with ongoing security maintenance.

HeroDevs keeps your Apache Struts applications secure and supported—so you can modernize on your schedule.

‍

Frequently Asked Questions About Apache Struts Vulnerabilities

Where are Apache Struts vulnerabilities officially announced?
Official vulnerabilities are announced through Apache Struts Security Bulletins (S2-###). These bulletins provide affected versions, severity information, and upgrade guidance.

Are patches released for end-of-life Struts versions?
No. Once a Struts version reaches end-of-life, the Apache project generally does not release new security patches for it. Organizations must either upgrade to a supported version or obtain ongoing security support for legacy deployments.

What is the fastest way to determine if we are affected by a Struts CVE?
Search the CVE identifier in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and cross-reference it with the official Struts Security Bulletin. This will confirm affected versions and recommended remediation steps.

Why do security scanners continue flagging old Struts versions?
Security scanners rely on publicly disclosed Common Vulnerabilities and Exposures (CVEs). If your version is listed as affected and no upstream patch exists, scanners will continue to flag it until the vulnerability is remediated or the framework is upgraded.

Is upgrading always required to fix Struts vulnerabilities?
For supported versions, upgrading to the latest secure release is typically the recommended path. For end-of-life versions, organizations need a strategy to address vulnerabilities, whether through modernization or supported remediation.

What risks are most common in recent Struts vulnerabilities?
Recent disclosures have included file upload flaws and remote code execution (RCE) risks. If left unpatched, these vulnerabilities can allow attackers to execute arbitrary code or manipulate application behavior.

How does HeroDevs help with end-of-life Struts versions?
HeroDevs provides Never-Ending Support (NES) for end-of-life Apache Struts versions, delivering continued CVE remediation and drop-in security updates. This allows organizations to maintain security and compliance while planning upgrades deliberately.