本頁列出影響 apache commons_fileupload 的已公開 CVE 漏洞(透過 NVD CPE 關聯)。每列包含嚴重程度評分、摘要與發布日期,便於識別與分析安全議題。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2025-48976 | Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. | [email protected] | 7.5 | 1.28% | 2025-06-16 | 2025-11-03 |
| CVE-2023-24998 | Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. | [email protected] | 7.5 | 33.90% | 2023-02-20 | 2025-11-03 |
| CVE-2016-1000031 | Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution | [email protected] | 9.8 | 56.43% | 2016-10-25 | 2026-05-06 |
| CVE-2016-3092 | The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. | [email protected] | 7.5 | 40.25% | 2016-07-04 | 2026-05-06 |
| CVE-2014-0050 | MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. | [email protected] | 7.5 | 92.69% | 2014-04-01 | 2026-05-06 |
| CVE-2013-0248 | The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack. | [email protected] | 3.3 | 0.07% | 2013-03-15 | 2026-04-29 |