Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
CVE-2014-0114
Score elevated to 9.0 because EPSS predicts 92% probability of exploitation within the next 30 days (top 0.3% of all CVEs). Confidence: see factors.
- High exploitation likelihood — EPSS 96%
A fix is available — apply it.
- CVSS v3
- —
- EG Score
- 9.0(low)
- EPSS
- 99.9%
- KEV
- Not listed
Published
April 30, 2014
Last Modified
May 6, 2026
References (238)
- secalert@redhathttp://advisories.mageia.org/MGASA-2014-0219.html
- secalert@redhathttp://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html
- secalert@redhathttp://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
- secalert@redhathttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html
- secalert@redhathttp://marc.info/?l=bugtraq&m=140119284401582&w=2
- secalert@redhathttp://marc.info/?l=bugtraq&m=140801096002766&w=2
- secalert@redhathttp://marc.info/?l=bugtraq&m=141451023707502&w=2
- secalert@redhathttp://openwall.com/lists/oss-security/2014/06/15/10
- secalert@redhathttp://openwall.com/lists/oss-security/2014/07/08/1
- secalert@redhathttp://seclists.org/fulldisclosure/2014/Dec/23
- secalert@redhathttp://secunia.com/advisories/57477
- secalert@redhathttp://secunia.com/advisories/58710
- secalert@redhathttp://secunia.com/advisories/58851
- secalert@redhathttp://secunia.com/advisories/58947
- secalert@redhathttp://secunia.com/advisories/59014
Vendor Advisories for CVE-2014-0114(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(8)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | libcommons-beanutils-java-doc (1.9.2-3ubuntu0.1~esm1) @ xenial | 2026-05-28 | ubuntu |
| redhat | patch | 2019-10-10 | redhat |
| redhat | patch | 2018-09-11 | redhat |
| redhat | patch | 2014-05-15 | redhat |
| redhat | patch | 2014-05-14 | redhat |
| redhat | patch | 2014-05-14 | redhat |
| redhat | struts-0:1.3.10-6.ep5.el6 | 2014-05-14 | redhat |
| redhat | struts-0:1.2.9-4jpp.8.el5_10 | 2014-05-07 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| commons-beanutils:commons-beanutils | 1.8.0 ... 1.9.3 (8 versions) | 1.9.4 | — |
Additional Vendor Advisories
(7)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2014:0474IMPORTANT2014-04-29
RHSA-2014:0474 — Important
- Red HatRHSA-2014:0497IMPORTANT2014-04-29
RHSA-2014:0497 — Important
- Red HatRHSA-2014:0498IMPORTANT2014-04-29
RHSA-2014:0498 — Important
- Red HatRHSA-2014:0500IMPORTANT2014-04-29
RHSA-2014:0500 — Important
- Red HatRHSA-2014:0511IMPORTANT2014-04-29
RHSA-2014:0511 — Important
- Red HatRHSA-2019:2995IMPORTANT2014-04-29
RHSA-2019:2995 — Important
- UbuntuUSN-4766-1MEDIUM
Apache Commons BeanUtils vulnerabilities
Data Freshness Timeline
(refreshed 0× in last 7d / 14× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-05 00:56 UTCOSV refresh
- 2026-07-01 15:02 UTCEPSS rescore
- 2026-06-30 23:19 UTCEPSS rescore
- 2026-06-24 14:02 UTCEPSS rescore
- 2026-06-24 14:02 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-22 14:22 UTCEPSS rescore
- 2026-06-22 14:22 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-16 12:39 UTCOSV refresh
- 2026-06-15 17:44 UTCEPSS rescore
- 2026-06-12 23:08 UTCEPSS rescore
- 2026-06-10 22:15 UTCEPSS rescore
- 2026-06-07 15:22 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-04 13:09 UTCEPSS rescore
- 2026-06-04 13:09 UTCEPSS rescore
- 2026-06-02 20:10 UTCEPSS rescore
- 2026-06-02 20:10 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-28 19:12 UTCEG score recompute
Show 18 moreShow fewer
- 2026-05-28 19:12 UTCVendor advisory
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-26 02:46 UTCOSV refresh
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
Publicly available exploits
(4 references)Working exploit code is in the public domain (1 Metasploit module) (2 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Open source ↗GitHub PoCaenlr/strutt-cve-2014-0114First seen May 27, 2019
- GitHub PoCrgielen/struts1filterFirst seen May 22, 2014
A request parameter filter solution for Struts 1 CVE-2014-0114 based on the work of Alvaro Munoz and the HP Fortify team
Open source ↗ - Exploit-DBEDB-41690✓ verifiedFirst seen Mar 6, 2014
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)
Open source ↗ - Metasploitexploit/multi/http/struts_code_exec_classloader✓ verifiedFirst seen Mar 6, 2014
Apache Struts ClassLoader Manipulation Remote Code Execution
Open source ↗
Frequently asked(4)
What is CVE-2014-0114?
When was CVE-2014-0114 disclosed?
Is CVE-2014-0114 actively exploited?
How do I remediate CVE-2014-0114?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2014-0114
Is Your Infrastructure Affected by CVE-2014-0114?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.