Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
CVE-2018-11776
HIGHNVD 8.19.0▲Exploited in the wild
EchelonGraph scoreMEDIUM confidence
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 8.1 retained for reference. Confidence: HIGH.
Triggered by: CISA KEV (actively exploited)
Sources: cisa_kev, epss, nvd
8.1
EchelonGraph verdictPatch nowTreat as an emergency — this is being exploited.
- Actively exploited in the wild (CISA-KEV)
CISA-KEV: ExploitedEPSS: 100%CVSS: 8.1Exploit: NoneExposed: 0
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.1
- EG Score
- 9.0(medium)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
August 22, 2018
Last Modified
October 27, 2025
Advisory Details (6)
Auto-updated Jun 3, 2026No patch confirmed yet.
generic
GitHub - hook-s3c/CVE-2018-11776-Python-PoC: Working Python test and PoC for CVE-2018-11776, includes Docker lab · GitHub
https://github.com/hook-s3c/CVE-2018-11776-Python-PoCgeneric
S2-057 - Apache Struts 2 Wiki - Apache Software Foundation
https://cwiki.apache.org/confluence/display/WW/S2-057Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.apache.struts:struts2-core | 2.5 ... 2.5.8 (12 versions) | 2.5.17 | — |
Frequently asked(6)
What is CVE-2018-11776?
CVE-2018-11776 is a high vulnerability published on August 22, 2018. Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace…
When was CVE-2018-11776 disclosed?
CVE-2018-11776 was first published in the National Vulnerability Database on August 22, 2018, with the most recent update on October 27, 2025. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2018-11776 actively exploited?
Yes. CISA added CVE-2018-11776 to the Known Exploited Vulnerabilities catalog on November 3, 2021, affecting Apache Struts. KEV listing indicates confirmed exploitation in the wild; this CVE warrants immediate patching attention.
What is the CVSS score of CVE-2018-11776?
CVE-2018-11776 has a CVSS v3 base score of 8.1 (NVD). EchelonGraph synthesises NVD + CISA KEV + FIRST EPSS + GHSA into a combined EG score of 9.0.
Which products are affected by CVE-2018-11776?
CVE-2018-11776 affects Apache Struts. The full affected-products list, including version ranges and fixed versions, is shown in the Affected Packages section of this page.
How do I remediate CVE-2018-11776?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2018-11776, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2018-11776
Is Your Infrastructure Affected by CVE-2018-11776?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.