There was another report for a Struts security issue: CVE-2012-1592: http://seclists.org/bugtraq/2012/Mar/110 Can you please contact upstream, whether this needs to be fixed in our Struts 1.2? Cheers, Moritz