Apache Commons Fileupload
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apache Commons Fileupload.
By the Year
In 2026 there have been 0 vulnerabilities in Apache Commons Fileupload. Last year, in 2025 Commons Fileupload had 1 security vulnerability published. Right now, Commons Fileupload is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 7.50 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 0.00 |
It may take a day or so for new Commons Fileupload vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Commons Fileupload Security Vulnerabilities
Apache Commons FileUpload DoS via Unbounded Multipart Header Allocation
CVE-2025-48976
7.5 - High
- June 16, 2025
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
Allocation of Resources Without Limits or Throttling
Apache Commons FileUpload DoS via unlimited upload parts before 1.5
CVE-2023-24998
- February 20, 2023
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
Allocation of Resources Without Limits or Throttling
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
CVE-2016-1000031
9.8 - Critical
- October 25, 2016
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Authorization
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products
CVE-2016-3092
- July 04, 2016
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header
CVE-2014-0050
- April 01, 2014
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which
CVE-2013-0248
- March 15, 2013
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Commons Fileupload or by Apache? Click the Watch button to subscribe.
