CWE-106 Variant Draft

Struts: Plug-in Framework not in Use

Definition

What is CWE-106?

This weakness occurs when a Java application, particularly one using the Struts framework, does not implement a structured input validation plugin like the Struts Validator. Skipping this framework forces developers to write custom validation logic, which is often error-prone and increases the risk of security flaws from improperly handled user input.

Without a dedicated validation framework, your application becomes vulnerable to common web attacks. Unchecked user input is a primary entry point for cross-site scripting (XSS), SQL injection, and unauthorized command execution, as attackers can inject malicious code or manipulate application logic. While Java environments typically avoid memory corruption issues, the risk extends to integrated native code. If your J2EE application passes unvalidated data to native libraries or components that lack proper bounds checking, a simple input validation oversight can escalate into a severe buffer overflow attack, compromising the entire system.

Real-world impact

Real-world CVEs caused by CWE-106

No public CVE references are linked to this CWE in MITRE's catalog yet.

How attackers exploit it

Step-by-step attacker path

1
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data.
2
However, the RegistrationForm class extends the Struts ActionForm class which does use the Struts validator plug-in to provide validator capabilities. In the following example, the RegistrationForm Java class extends the ValidatorForm and Struts configuration XML file, struts-config.xml, instructs the application to use the Struts validator plug-in.
3
The plug-in tag of the Struts configuration XML file includes the name of the validator plug-in to be used and includes a set-property tag to instruct the application to use the file, validator-rules.xml, for default validation rules and the file, validation.XML, for custom validation.

Vulnerable code example

Vulnerable Java

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data.

Vulnerable Java

public class RegistrationForm extends org.apache.struts.action.ActionForm {
```
// private variables for registration form* 
  	private String name;
  	private String email;
  	...
  	
  	public RegistrationForm() {
  	```
  		super();
  	}
```
// getter and setter methods for private variables* 
  	...
  	}

Secure code example

Secure Java

However, the RegistrationForm class extends the Struts ActionForm class which does use the Struts validator plug-in to provide validator capabilities. In the following example, the RegistrationForm Java class extends the ValidatorForm and Struts configuration XML file, struts-config.xml, instructs the application to use the Struts validator plug-in.

Secure Java

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
```
// private variables for registration form* 
  	private String name;
  	private String email;
  	...
  	
  	public RegistrationForm() {
  	```
  		super();
  	}
  	public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}
```
// getter and setter methods for private variables* 
  	...
  	}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-106

Architecture and Design Use an input validation framework such as Struts.
Architecture and Design Use an input validation framework such as Struts.
Implementation Use the Struts Validator to validate all program input before it is processed by the application. Ensure that there are no holes in the configuration of the Struts Validator. Example uses of the validator include checking to ensure that: - Phone number fields contain only valid characters in phone numbers - Boolean values are only "T" or "F" - Free-form strings are of a reasonable length and composition
Implementation Use the Struts Validator to validate all program input before it is processed by the application. Ensure that there are no holes in the configuration of the Struts Validator. Example uses of the validator include checking to ensure that: - Phone number fields contain only valid characters in phone numbers - Boolean values are only "T" or "F" - Free-form strings are of a reasonable length and composition

Detection signals

How to detect CWE-106

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-106 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-106?

How serious is CWE-106?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-106?

MITRE lists the following affected platforms: Java.

How can I prevent CWE-106?

Use an input validation framework such as Struts. Use an input validation framework such as Struts.

How does Plexicus detect and fix CWE-106?

Plexicus's SAST engine matches the data-flow signature for CWE-106 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-106?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/106.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-106

CWE-1173 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Struts: Plug-in Framework not in Use

What is CWE-106?

Real-world CVEs caused by CWE-106

Step-by-step attacker path

Vulnerable Java

Secure Java

How to prevent CWE-106

How to detect CWE-106

Plexicus auto-detects CWE-106 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-106

Improper Use of Validation Framework

Struts: Duplicate Validation Forms

Struts: Form Field Without Validator

Struts: Unvalidated Action Form

Struts: Validator Turned Off

ASP.NET Misconfiguration: Improper Model Validation

ASP.NET Misconfiguration: Not Using Input Validation Framework

Further reading

Don't Let Security
Weigh You Down.

Struts: Plug-in Framework not in Use

What is CWE-106?

Real-world CVEs caused by CWE-106

Step-by-step attacker path

Vulnerable Java

Secure Java

How to prevent CWE-106

How to detect CWE-106

Plexicus auto-detects CWE-106 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-106

Improper Use of Validation Framework

Struts: Duplicate Validation Forms

Struts: Form Field Without Validator

Struts: Unvalidated Action Form

Struts: Validator Turned Off

ASP.NET Misconfiguration: Improper Model Validation

ASP.NET Misconfiguration: Not Using Input Validation Framework

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.