Skip to main content

ModSecurity CVE-2026-52747

| EUVDEUVD-2026-43047 HIGH
Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)
2026-07-10 GitHub_M
8.6
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
HIGH
qualitative
NVD
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
vuln.today AI
8.6 HIGH

Remote unauthenticated multipart request, no user interaction (AV:N/AC:L/PR:N/UI:N); scope changes to the protected backend (S:C) whose integrity is undermined by the bypass (I:H), with no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jul 10, 2026 - 23:02 EUVD
Analysis Generated
Jul 10, 2026 - 22:18 vuln.today
CVE Published
Jul 10, 2026 - 21:42 cve.org
HIGH 8.6

DescriptionNVD

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and ARGS_POST because src/request_body_processor/multipart.cc overwrites reserved bytes in m_reserve instead of appending the current buffer. This creates a parser differential between ModSecurity and backend applications that preserve line breaks in form fields, allowing rules that inspect ARGS or ARGS_POST to miss payloads whose dangerous syntax depends on a line break. This issue is fixed in version 3.0.16.

AnalysisAI

WAF filtering bypass in OWASP ModSecurity (libmodsecurity) before 3.0.16 lets remote unauthenticated attackers smuggle malicious payloads past inspection rules by exploiting a multipart/form-data parser differential. The engine silently strips embedded line breaks from non-file form-field values before populating ARGS and ARGS_POST, so any rule whose detection depends on a newline (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft multipart/form-data POST with newline-split payload
Delivery
Send request through ModSecurity-protected endpoint
Exploit
Parser strips CR/LF from ARGS_POST value
Execution
WAF rule fails to match sanitized value
Persist
Backend reassembles original payload
Impact
Injection executes on protected application

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application (1) is protected by ModSecurity/libmodsecurity earlier than 3.0.16, (2) accepts multipart/form-data request bodies, (3) enforces detection rules that inspect the ARGS or ARGS_POST collections, and (4) runs a backend that preserves embedded CR/LF in form-field values so its parsing diverges from ModSecurity's - the payload's malicious effect must specifically depend on a line break that ModSecurity removes but the backend keeps. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine security-control-bypass with a wide blast radius rather than a high-CVSS-but-low-impact issue: the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N correctly captures a network-reachable, low-complexity, unauthenticated condition whose scope change (S:C) reflects that the harmed component is the protected backend, not ModSecurity itself, with high integrity impact and no confidentiality or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted multipart/form-data POST to an application fronted by ModSecurity, placing a malicious payload (for example an injection string whose dangerous syntax is split by an embedded newline) inside a non-file form field. ModSecurity strips the line break before writing the value to ARGS/ARGS_POST, so the CRS or custom rule that would have flagged the payload sees a benign-looking single line and passes the request, while the backend reassembles or interprets the original bytes and executes the intended attack. …
Remediation Vendor-released patch: 3.0.16 - upgrade libmodsecurity to version 3.0.16 or later and reload the Apache/IIS/Nginx worker so the fixed multipart parser is loaded, per release https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.16 and advisory https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-rcw9-2f5r-7p88. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and document all production ModSecurity deployments with version < 3.0.16; analyze recent multipart/form-data traffic for exploitation indicators. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-27110 HIGH POC
7.9 Feb 25

Libmodsecurity is one component of the ModSecurity v3 project. Rated high severity (CVSS 7.9), this vulnerability is rem

CVE-2025-48866 HIGH POC
7.5 Jun 02

ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the `sanitiseArg` and `sanitizeArg` ac

CVE-2021-42717 HIGH POC
7.5 Dec 07

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerabi

CVE-2020-15598 HIGH POC
7.5 Oct 06

Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. Rated high severity (CVSS 7.5),

CVE-2012-4528 MEDIUM POC
5.0 Dec 28

The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver ar

CVE-2018-13065 MEDIUM POC
6.1 Jul 03

ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. Rated medium severity (CVSS 6.1), this vulnerabili

CVE-2013-2765 MEDIUM POC
5.0 Jul 15

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NUL

CVE-2013-5705 MEDIUM POC
5.0 Apr 15

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer codi

CVE-2024-1019 HIGH
8.6 Jan 30

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially

CVE-2013-1915 HIGH
7.5 Apr 25

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cau

CVE-2024-46292 HIGH
7.5 Oct 09

A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserte

CVE-2023-38285 HIGH
7.5 Jul 26

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. Rated high severity (CVSS 7.5), this vul

Share

CVE-2026-52747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy