Apache Struts: Malicious User Can Bypass Permission Checks

Summary

Apache Struts has a mistake in its code that could allow a malicious user to gain more access to the system than they should have. This means they could do things they shouldn't be able to do without needing extra permissions. To fix this, update to the latest version of Apache Struts.

What to do

Update google platform/packages/modules/permission to version 16-qpr2-next:2026-03-01.
Update google platform/packages/modules/permission to version 15:2026-03-01.
Update google platform/packages/modules/permission to version 16:2026-03-01.
Update google platform/packages/modules/permission to version 16-qpr2:2026-03-01.
Update google platform/packages/modules/permission to version 14:2026-03-01.

Affected software

Vendor	Product	Affected versions	Fix available
google	android	14.0	–
google	android	15.0	–
google	android	16.0	–
google	android	16.0	–
google	android	16.0	–
google	android	16.0	–
google	platform/packages/modules/permission	> 16-qpr2-next:0 , <= 16-qpr2-next:2026-03-01	16-qpr2-next:2026-03-01
google	platform/packages/modules/permission	> 15:0 , <= 15:2026-03-01	15:2026-03-01
google	platform/packages/modules/permission	> 16:0 , <= 16:2026-03-01	16:2026-03-01
google	platform/packages/modules/permission	> 16-qpr2:0 , <= 16-qpr2:2026-03-01	16-qpr2:2026-03-01
google	platform/packages/modules/permission	> 14:0 , <= 14:2026-03-01	14:2026-03-01

Original title

In loadDataAndPostValue of multiple files, there is a possible way to obscure permission usage due to a logic error in the code. This could lead to local escalation of privilege with no additional ...

Original description

In loadDataAndPostValue of multiple files, there is a possible way to obscure permission usage due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

nvd CVSS3.1 7.8

Vulnerability type

CWE-693 Protection Mechanism Failure