Greetings, Regarding the CVE-2026-0603 vulnerability affecting hibernate-core 5.x versions. We are running Apache struts 6.8.0 with hibernate-core 5.6.15.
We know its an optional dependency for struts-core, but without it during the app execution in com.opensymphony.xwork2.util.ProxyUtil#isHibernateProxy are thrown and internally handled a lot of NoClassDefFoundError-s (hundreds of thousands). This decrease the performance of our app. Is it safe to upgrade hibernate-core to a non-vulnerable version while staying on Struts 6.8.0?
