I'm no Struts expert, but my guess is that Struts adds a Servlet Mapping for anything in the context that ends in .xml.

UPDATE – The Apache Software Foundation will re-issue at patch for a ClassLoader manipulation zero-day vulnerability in Struts. The fix is expected to be ready within 72 hours; a workaround is ...

The Apache Software Foundation has patched a critical security vulnerability which affects all versions of Apache Struts 2. Uncovered by researchers from cybersecurity firm Semmle, the security flaw ...

Hackers are attempting to leverage a recently fixed critical vulnerability (CVE-2023-50164) in Apache Struts that leads to remote code execution, in attacks that rely on publicly available ...

The Apache Software Foundation has released Struts 2.3.15.1, a security update for its popular Java Web application development framework that addresses two vulnerabilities, including a critical one ...

A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an ...

Apache Struts 1.x, the original version of the Java EE Web application development framework, has reached the "end of life," according to the Apache Software Foundation (ASF), and is no longer ...