CVE-2014-0050

This CVE affects Apache Commons FileUpload (MultipartStream.java) before version 1.3.1, as used in Apache Tomcat, JBoss Web, and other products. The root cause is a crafted Content-Type header that bypasses the loop exit conditions, allowing remote attackers to trigger an infinite loop and high C...

CVE-2023-24998

CVE-2023-24998 arises from Apache Commons FileUpload not limiting the number of request parts, enabling a DoS via a malicious upload or series of uploads. The described issue notes that the related file-count limit (FileUploadBase#setFileCountMax) is not enabled by default and must be configured ...

CVE-2016-3092

CVE-2016-3092 is a DoS in Apache Commons FileUpload via a crafted long multipart boundary. Affected: Commons FileUpload before 1.3.2 used in Tomcat 7.x up to 7.0.70, Tomcat 8.x up to 8.0.36, Tomcat 8.5.x up to 8.5.3, Tomcat 9.x up to 9.0.0.M7, and other products. Root cause: boundary length trigg...

CVE-2016-1000031

The CVE-2016-1000031 entry concerns Apache Commons FileUpload prior to version 1.3.3, where DiskFileItem handling allowed remote code execution. Connected advisories show Atlassian Fisheye/Crucible assemblies using a vulnerable library and updating to the safe version; F5 advisories list Traffix ...

CVE-2025-48976

CVE-2025-48976 is a DoS in Apache Commons FileUpload caused by allocation of resources for multipart headers with insufficient limits. Affected: 1.0 before 1.6 and 2.0.0-M1 before 2.0.0-M4. Impact: potential high-availability disruption. Remediation: upgrade to 1.6 or 2.0.0-M4 (as stated in multi...

CVE-2013-0248

CVE-2013-0248 affects Apache Commons FileUpload 1.0–1.2.2. The default javax.servlet.context.tempdir uses the /tmp directory for uploads, enabling a local user to overwrite arbitrary files via an unspecified symlink attack. Impact is local, with file overwrite risk; exploitation is local. The con...