Visit NES for Apache Struts Home Page
Apache Struts 1.0.x Release Notes
2 versions
Comprehensive release notes and changelog for Apache Struts 1.0.x, including security patches, bug fixes, and feature updates across all supported versions.
July 2026
1.0.4
Released Jul 17, 2026 Full Version:
1.0.2-struts-1.0.4
Bug Fixes
This release patches the following:
- CVE-2005-3745: Cross-site scripting (XSS)
- CVE-2006-1546: Improper Input Validation
- Breaking Change instructions
- CVE-2006-1547: DoS Multipart
- CVE-2006-1548: Cross-site scripting (XSS)
- CVE-2008-2025: Possible XSS
- This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values.
- A patch was applied to escape untrusted user inputs using double quotes if not already escaped.
- CVE-2014-0114: Class Loader manipulation
- CVE-2016-1181: Multithreaded access to an ActionForm multipart access
- CVE-2016-1182: Access to Validator configuration
- CVE-2023-24998 FileUpload DoS via unbounded part count
- Multipart handling supports a
fileCountMaxActionServlet init-parameter to limit the number of parts in a request; disabled (-1) by default.
- Multipart handling supports a
- CVE-2025-48976 FileUpload DoS via part headers
- Multipart handling supports a
partHeaderSizeMaxActionServlet init-parameter to limit the size of part headers, with a default of512 bytes.
- Multipart handling supports a
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh