Apache Struts
Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON.
Download
Technology Primer
Apache Struts 7.1.1 GA
Apache Struts 7.1.1 GA has been released
on 18 October 2025.
Apache Struts 6.8.0 GA
Apache Struts 6.8.0 GA has been released
on 5 October 2025.
CVE-2025-64775 File leak in multipart request processing causes disk exhaustion (DoS)
Upgrade to Apache Struts 6.8.0 or 7.1.1 to mitigate the vulnerability.
Read more in the Announcement or in the Security Bulletin S2-068
CVE-2025-68493: XXE vulnerability in XWork component
Upgrade to at least Apache Struts 6.1.1 to mitigate the vulnerability.
Read more in the Announcement or in the Security Bulletin S2-069
Google's Patch Reward program
During SFHTML5 Google announced that they extend their program to cover the Apache Struts project as well. Now you can earn money preparing patches for us! read more
End-of-Life Struts Versions
Some Struts versions are no longer supported and receive no further security patches. We recommend migrating to the latest release. If migration is not immediately feasible, see End-of-Life versions for available options.