CVE-2018-11776

HIGHNVD 8.19.0
EchelonGraph scoreMEDIUM confidence

Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 8.1 retained for reference. Confidence: HIGH.

Triggered by: CISA KEV (actively exploited)
Sources: cisa_kev, epss, nvd
Exploited in the wild
8.1
EchelonGraph verdictPatch nowTreat as an emergency — this is being exploited.
  • Actively exploited in the wild (CISA-KEV)
CISA-KEV: ExploitedEPSS: 100%CVSS: 8.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

CVSS v3
8.1
EG Score
9.0(medium)
EPSS
100.0%
KEV
⚠ Exploited

Published

August 22, 2018

Last Modified

October 27, 2025

Advisory Details (6)

Auto-updated Jun 3, 2026
No patch confirmed yet.
generic

GitHub - hook-s3c/CVE-2018-11776-Python-PoC: Working Python test and PoC for CVE-2018-11776, includes Docker lab · GitHub

https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
generic

S2-057 - Apache Struts 2 Wiki - Apache Software Foundation

https://cwiki.apache.org/confluence/display/WW/S2-057

Affected Packages

(1 across 1 ecosystem)
Maven(1)
PackageVulnerable rangeFixed inDependents
org.apache.struts:struts2-core2.5 ... 2.5.8 (12 versions)2.5.17

Frequently asked(6)

What is CVE-2018-11776?
CVE-2018-11776 is a high vulnerability published on August 22, 2018. Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace…
When was CVE-2018-11776 disclosed?
CVE-2018-11776 was first published in the National Vulnerability Database on August 22, 2018, with the most recent update on October 27, 2025. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2018-11776 actively exploited?
Yes. CISA added CVE-2018-11776 to the Known Exploited Vulnerabilities catalog on November 3, 2021, affecting Apache Struts. KEV listing indicates confirmed exploitation in the wild; this CVE warrants immediate patching attention.
What is the CVSS score of CVE-2018-11776?
CVE-2018-11776 has a CVSS v3 base score of 8.1 (NVD). EchelonGraph synthesises NVD + CISA KEV + FIRST EPSS + GHSA into a combined EG score of 9.0.
Which products are affected by CVE-2018-11776?
CVE-2018-11776 affects Apache Struts. The full affected-products list, including version ranges and fixed versions, is shown in the Affected Packages section of this page.
How do I remediate CVE-2018-11776?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2018-11776, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2018-11776

Explore →

Is Your Infrastructure Affected by CVE-2018-11776?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.