The following security bulletins are available:

• S2-001 — Remote code exploit on form validation error
• S2-002 — Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags
• S2-003 — XWork ParameterInterceptors bypass allows OGNL statement execution
• S2-004 — Directory traversal vulnerability while serving static content
• S2-005 — XWork ParameterInterceptors bypass allows remote command execution
• S2-006 — Multiple Cross-Site Scripting (XSS) in XWork generated error pages
• S2-007 — User input is evaluated as an OGNL expression when there's a conversion error
• S2-008 — Multiple critical vulnerabilities in Struts2
• S2-009 — ParameterInterceptor vulnerability allows remote command execution
• S2-010 — When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes
• S2-011 — Long request parameter names might significantly promote the effectiveness of DOS attacks