cbcvebase.

Owasp-Modsecurity Modsecurity vulnerabilities

6 known vulnerabilities affecting owasp-modsecurity/modsecurity.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2025-27110P3HIGHCVSS 7.5v= 3.0.132025-02-25
CVE-2025-27110 [HIGH] CWE-172 CVE-2025-27110: Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an int Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains l
nvd
CVE-2026-30923P3HIGHCVSS 7.5fixed in 3.0.152026-05-05
CVE-2026-30923 [HIGH] CWE-125 CVE-2026-30923: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash
nvd
CVE-2025-47947P3HIGHCVSS 7.5fixed in 2.9.102025-05-21
CVE-2025-47947 [HIGH] CWE-1050 CVE-2025-47947: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes
nvd
CVE-2026-42268P3HIGHCVSS 7.5v>= 3.0.0, < 3.0.152026-05-12
CVE-2026-42268 [HIGH] CWE-191 CVE-2026-42268: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability
nvd
CVE-2025-52891P4MEDIUMCVSS 6.5v>= 2.9.8, < 2.9.112025-07-02
CVE-2025-52891 [MEDIUM] CWE-20 CVE-2025-52891: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg ), then a segmentation fault
nvd
CVE-2025-54571P4MEDIUMCVSS 6.1fixed in 2.9.122025-08-06
CVE-2025-54571 [MEDIUM] CWE-252 CVE-2025-54571: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source c
nvd
Owasp-Modsecurity Modsecurity vulnerabilities | cvebase