| Release | Version |
|---|---|
| bullseye | 1.4-1 |
| bullseye (security) | 1.4-1+deb11u1 |
| bookworm | 1.4-2 |
| trixie | 1.5-1.1 |
| forky | 1.5-1.1 |
| sid | 1.5-1.1 |
| Bug | bullseye | bookworm | trixie | forky | sid | Description |
|---|---|---|---|---|---|---|
| CVE-2025-48976 | fixed | vulnerable (no DSA) | vulnerable | vulnerable | vulnerable | Allocation of resources for multipart headers with insufficient limits ... |
| Bug | bullseye | bookworm | trixie | forky | sid | Description |
|---|---|---|---|---|---|---|
| CVE-2016-1000031 | vulnerable | vulnerable | vulnerable | vulnerable | vulnerable | Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation ... |
| Bug | Description |
|---|---|
| CVE-2023-24998 | Apache Commons FileUpload before 1.5 does not limit the number of requ ... |
| CVE-2016-3092 | The MultipartStream class in Apache Commons Fileupload before 1.3.2, a ... |
| CVE-2014-0050 | MultipartStream.java in Apache Commons FileUpload before 1.3.1, as use ... |
| CVE-2013-2186 | The DiskFileItem class in Apache Commons FileUpload, as used in Red Ha ... |
| CVE-2013-0248 | The default configuration of javax.servlet.context.tempdir in Apache C ... |
| DSA / DLA | Description |
|---|---|
| DLA-4245-1 | libcommons-fileupload-java - security update |
| DSA-3611-1 | libcommons-fileupload-java - security update |
| DLA-528-1 | libcommons-fileupload-java - security update |
| DSA-2856-1 | libcommons-fileupload-java - security update |
| DSA-2827-1 | libcommons-fileupload-java - arbitrary file upload via deserialization |