{"cve":{"cve_id":"CVE-2012-0391","is_kev":true,"kev_date_added":"2022-01-21","kev_vendor_project":"Apache","kev_product":"Struts 2","kev_vulnerability_name":"Apache Struts 2 Improper Input Validation Vulnerability","kev_short_description":"The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability that allows for remote code execution.","kev_required_action":"Apply updates per vendor instructions.","kev_due_date":"2022-07-21","kev_known_ransomware":false,"kev_notes":"https://nvd.nist.gov/vuln/detail/CVE-2012-0391","kev_cwes":["CWE-20"],"epss_score":0.75071,"epss_percentile":0.99444,"epss_as_of":"2026-06-23","description":"The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.","published_at":"2012-01-08T15:00:00Z","last_modified_at":"2026-06-16T23:37:12.150000Z","cvss_v3_score":9.8,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"CRITICAL","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":"active","ssvc_automatable":true,"ssvc_technical_impact":"total","cwes":["CWE-94"],"nvd_references":["http://www.exploit-db.com/exploits/18329","http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html","http://struts.apache.org/2.x/docs/version-notes-2311.html","http://struts.apache.org/2.x/docs/s2-008.html","https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt","https://issues.apache.org/jira/browse/WW-3668","http://secunia.com/advisories/47393"],"vuln_status":"Analyzed","trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:31.350578Z","updated_at":"2026-06-28T23:06:08.152973Z"},"effective_severity":"CRITICAL","badges":["kev","epss"],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"apache","vendor_name":"apache","product_slug":"struts","product_name":"Struts","version_start":null,"version_start_inclusive":null,"version_end":"2.2.3.1","version_end_inclusive":false,"cpe23_uri":"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*"}],"exploit_refs":[],"news":[],"references":[{"url":"http://www.exploit-db.com/exploits/18329","source_type":"EXPLOIT","tags":["exploit"]},{"url":"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html","source_type":"MISC","tags":[]},{"url":"http://struts.apache.org/2.x/docs/version-notes-2311.html","source_type":"MISC","tags":[]},{"url":"http://struts.apache.org/2.x/docs/s2-008.html","source_type":"MISC","tags":[]},{"url":"https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt","source_type":"MISC","tags":[]},{"url":"https://issues.apache.org/jira/browse/WW-3668","source_type":"MISC","tags":[]},{"url":"http://secunia.com/advisories/47393","source_type":"VENDOR_ADVISORY","tags":["advisory"]}],"timeline":[{"type":"published","at":"2012-01-08T15:00:00Z","label":"CVE published","source":null},{"type":"cisa_reported","at":"2022-01-21T00:00:00Z","label":"Added to CISA KEV catalog","source":"kev"},{"type":"ssvc_changed","at":"2026-06-24T00:30:43.703670Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-24T00:30:43.703670Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-24T00:30:43.703670Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:30:43.703670Z","label":"CVSS score revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:30:43.703670Z","label":"CVSS score revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:30:43.703670Z","label":"CVSS score revised","source":"vulnrichment"}]}