Apache Commons – Apache Commons Reporting Security Problems

Apache Commons – Apache Commons Reporting Security Problems
Apache Commons ™
Last Published: 24 March 2026
Version: unspecified
Components
Sandbox
Dormant
ApacheCon
Apache
Commons
License
Mailing Lists
PMC
Components
Sandbox
Dormant
Releases
Releases
Source Repositories
General Information
Sandbox
Dormant
General Information
Security
Volunteering
Contributing Patches
Building Components
Commons Parent POM
Commons Build Plugin
Commons Release Plugin
Site Publication
Releasing Components
Wiki
ASF
How the ASF works
Get Involved
Developer Resources
Code of Conduct
Sponsorship
Thanks
Reporting New Security Problems with Apache Commons Components
The Apache Software Foundation takes a very active stance
in eliminating security problems and denial of service attacks
against its products.
We strongly encourage folks to report such problems to our
private security mailing list first, before disclosing them in
a public forum.
Please note that the security mailing list should only be
used for reporting undisclosed security vulnerabilities and
managing the process of fixing such vulnerabilities. We cannot
accept regular bug reports or other queries at this
address. All mail sent to this address that does not relate to
an undisclosed security problem in our source code will be
ignored.
If you need to report a bug that isn't an undisclosed
security vulnerability, please use the
bug reporting page
The private security mailing address is:
security@commons.apache.org
Asking Questions About Known Security Problems
Questions about:
if a vulnerability applies to your particular application
obtaining further information on a published vulnerability
availability of patches and/or new releases
should be addressed to the users mailing list. Please see
the
mailing lists page
for
details of how to subscribe.
Security Model
The Commons libraries are low-level libraries typically designed to work with input that is either trusted
or validated/sanitized by the application using the library.
It is unsafe to provide possibly malicious input to Commons libraries unless otherwise specified.
We consider calls to the Commons API subject to the same caveat as the JDK; those calls will usually do what the caller asks.
Whether it is "dangerous" depends on the (application) context.
Therefore, don't report a behavior as a Commons component's vulnerability if the same behavior would be considered legitimate for the JDK.
We welcome suggestions for hardening the code base.
Known Security Vulnerabilities
Known security vulnerabilities fixed in released versions of
Apache Commons components are listed in specific pages for
each component.
Apache Commons BCEL Security Vulnerabilities
Apache Commons Collections Security Vulnerabilities
Apache Commons Compress Security Vulnerabilities
Apache Commons Configuration Security Vulnerabilities
Apache Commons Crypto Security Vulnerabilities
Apache Commons Email Security Vulnerabilities
Apache Commons FileUpload Security Vulnerabilities
Apache Commons NET Security Vulnerabilities
Apache Commons Text Security Vulnerabilities
If you have encountered an unlisted security vulnerability
or other unexpected behavior that has security impact, or if
the descriptions in one of the pages are incomplete, please report them
privately to the Apache Security Team. Thank you.
Errors and Omissions
Please report any errors or omissions to
the dev mailing list
Copyright © 2026
The Apache Software Foundation
Apache Commons, Apache, the Apache feather logo, and the Apache Commons project logos are trademarks of The Apache Software Foundation.
All other marks mentioned may be trademarks or registered trademarks of their respective owners.