It was reported that if there's no registered handler for a POST request, the default behaviour is to write it to the filesystem, which allows remote attacker to upload arbitrary data. Proposed patch: https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd CVE request: http://www.openwall.com/lists/oss-security/2016/07/18/13
Created libupnp tracking bugs for this issue: Affects: fedora-all [bug 1358351] Affects: epel-7 [bug 1358352]