CVE-2016-4438

CRITICAL

Apache Struts 2 <2.3.28.1 - RCE

Title source: llm

Description

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.

Exploits (2)

nomisec WORKING POC 1 stars
by jason3e7 · poc
https://github.com/jason3e7/CVE-2016-4438
nomisec STUB
by tafamace · poc
https://github.com/tafamace/CVE-2016-4438

References (6)

Scores

CVSS v3 9.8
EPSS 0.6209
EPSS Percentile 98.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (9)
apache/struts 2.3.20
apache/struts 2.3.20.1
apache/struts 2.3.20.3
apache/struts 2.3.24
apache/struts 2.3.24.1
apache/struts 2.3.24.3
apache/struts 2.3.28
org.apache.struts/struts2-core 2.3.19 - 2.3.29Maven
org.apache.struts/struts2-rest-plugin 2.3.19 - 2.3.29Maven
Published Jul 04, 2016
Tracked Since Feb 18, 2026