OpCodes
Back to Database

CVE-2026-0089

Critical

Remote Code Execution in Apache Struts 2.x

Published: Jan 30, 2026
Updated: Feb 01, 2026

Description

A critical security vulnerability has been identified in Apache Struts versions 2.0.0 through 2.5.30. This vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the target server by sending a malformed HTTP request containing a malicious OGNL expression in the header. This vulnerability arises from improper validation of untrusted input in the multipart parser. Successful exploitation grants the attacker full control over the compromised server (`system` or `root` privileges in many cases).

Affected Software

  • Apache Struts 2.0.0 - 2.5.30
  • Apache Struts 6.0.0 - 6.0.3

Remediation

Upgrade to Apache Struts 2.5.31 or 6.1.0 immediately. If upgrading is not possible, implement the recommended WAF rules to block malicious OGNL payloads.

CVSS Score

Common Vulnerability Scoring System

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

struts.apache.org/security/S2-067nvd.nist.gov/vuln/detail/CVE-2026-0145www.cisa.gov/uscert/ncas/alerts/aa26-030a