S2-069: XXE Vulnerability in XWork Component Summary Impacted Vulnerability: XXE vulnerability in XWork component Impact: Disclosure of Data, Denial of Service, Server Side Request Forgery Maximum Security Rating: Important Recommendation: Upgrade to Struts 6.1.1 at least Affected Software Struts 2.0.0 through Struts 2.3.37 (EOL) Struts 2.5.0 through Struts 2.5.33 (EOL) Struts 6.0.0 through Struts 6.1.0 Reporters ZAST.AI - https://zast.ai CVE Identifier CVE-2025-68493 Problem Parsing of XML configuration in XWork component does not validate XML in proper way and it's vulnerable to XML external entity (XXE) injection. Solution Upgrade to Struts 6.1.1 at least. Backward Compatibility This change is backward compatible. Workaround Users unable to upgrade immediately can mitigate XXE either by: Using a custom SAXParserFactory: set to a custom factory class that disables external entities by default or Defining JVM-level configuration: configure the JVM's default XML parser to disable external entities via system properties (set to empty string to block all protocols): - - -