[ https://issues.apache.org/jira/browse/FILEUPLOAD-361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18005246#comment-18005246 ]
Gary D. Gregory commented on FILEUPLOAD-361: -------------------------------------------- [~dmoebius] I sent an email and CC'd our dev list: [https://lists.apache.org/thread/kbl1mpx6bvfs5xj1w073ddspw92gs4ks] > NVD still lists fileupload 2.0.0-M4 as vulnerable > ------------------------------------------------- > > Key: FILEUPLOAD-361 > URL: https://issues.apache.org/jira/browse/FILEUPLOAD-361 > Project: Commons FileUpload > Issue Type: Bug > Affects Versions: 2.0.0-M4 > Reporter: Dirk Moebius > Priority: Major > > The NVD still lists commons-fileupload-2.0.0-M4 as vulnerable: > [https://nvd.nist.gov/vuln/detail/CVE-2025-48976#match-16814623] > although the CVE is officially reported as fixed for M4: > [https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12] > The NVD REST services lists M4 as vulnerable: > [https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-48976] > It looks like this is more an issue for NVD than for Apache, but if possible > please send correct information to NVD so that they can fix this issue. > This is a serious problem for us because of corporate security constraints we > are forced to add hundreds of OWASP suppressions to various code bases due to > this false positive. -- This message was sent by Atlassian Jira (v8.20.10#820010)