Matthew Garrett discovered that libupnp mishandled POST requests by
default. An attacker could use this vulnerability to write files to
arbitrary locations in the victim’s filesystem, possibly as root.
(CVE-2016-6255)
It was discovered that libupnp mishandled certain input. A remote attacker
could use this vulnerability to cause a denial of service (crash) or
possibly execute arbitrary code. (CVE-2016-8863)