Visit NES for Apache Struts Home Page

Apache Struts 1.0.x Release Notes

2 versions

Comprehensive release notes and changelog for Apache Struts 1.0.x, including security patches, bug fixes, and feature updates across all supported versions.

Jul 17, 2026
Latest: 1.0.4
83 Patched Vulnerabilities
VEX Statements

July 2026

Full Version:
1.0.2-struts-1.0.4

Bug Fixes

This release patches the following:

  • CVE-2005-3745: Cross-site scripting (XSS)
  • CVE-2006-1546: Improper Input Validation
  • CVE-2006-1547: DoS Multipart
  • CVE-2006-1548: Cross-site scripting (XSS)
  • CVE-2008-2025: Possible XSS
    • This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values.
    • A patch was applied to escape untrusted user inputs using double quotes if not already escaped.
  • CVE-2014-0114: Class Loader manipulation
  • CVE-2016-1181: Multithreaded access to an ActionForm multipart access
  • CVE-2016-1182: Access to Validator configuration
  • CVE-2023-24998 FileUpload DoS via unbounded part count
    • Multipart handling supports a fileCountMax ActionServlet init-parameter to limit the number of parts in a request; disabled (-1) by default.
  • CVE-2025-48976 FileUpload DoS via part headers
    • Multipart handling supports a partHeaderSizeMax ActionServlet init-parameter to limit the size of part headers, with a default of 512 bytes.

1.0.3

Released Jul 17, 2026
Full Version:
1.0.2-struts-1.0.3

Notes

  • Initial NES release of the Apache Struts 1.0.x line, based on the final OSS release (1.0.2).
  • This baseline release contains no security patches; all known CVEs for the line are addressed in 1.0.4.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.