CVE-2017-9805
Apache Struts Deserialization of Untrusted Data Vulnerability
CVSS
—
No CVSS
EPSS
99.5%
p100
KEV
YES
Nov 3, 2021
Exploit Today
80
0-100
Published: — · Last modified: —
99.5%EPSS · 30 days99.5%
2026-06-302026-07-16
Product
Apache / Struts
Vulnerability
Apache Struts Deserialization of Untrusted Data Vulnerability
Added to KEV
Nov 3, 2021
Remediate by
May 3, 2022
Known ransomware use
No
Summary description
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.
Required action
Apply updates per vendor instructions.
Notes
https://nvd.nist.gov/vuln/detail/CVE-2017-9805
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2017-5638—100.0%
KEV—80Apache Struts Remote Code Execution Vulnerability—CVE-2018-11776—100.0%
KEV—80Apache Struts Remote Code Execution Vulnerability—CVE-2013-2251—100.0%
KEV—80Apache Struts Improper Input Validation Vulnerability—CVE-2020-17530—99.9%
KEV—80Apache Struts Remote Code Execution Vulnerability—