Skip to main content

Modsecurity

19 CVEs product

Monthly

CVE-2026-52747 HIGH PATCH This Week

WAF filtering bypass in OWASP ModSecurity (libmodsecurity) before 3.0.16 lets remote unauthenticated attackers smuggle malicious payloads past inspection rules by exploiting a multipart/form-data parser differential. The engine silently strips embedded line breaks from non-file form-field values before populating ARGS and ARGS_POST, so any rule whose detection depends on a newline (e.g. command, header, or injection syntax spanning a line break) fails to match while the backend still receives and acts on the intact payload. No public exploit identified at time of analysis, but the CVSS base score of 8.6 reflects a scope-changing integrity impact on every application shielded by an affected deployment.

Information Disclosure Nginx Apache Modsecurity
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-52761 MEDIUM PATCH This Month

WAF rule bypass in ModSecurity 3.0.0-3.0.15 on i386 architecture allows network-accessible attackers to evade rules that use the t:utf8toUnicode transformation, potentially permitting injection attacks or other malicious payloads to reach protected applications undetected. The root cause is CWE-467 - sizeof() applied to a char pointer in utf8_to_unicode.cc yields the pointer width (4 bytes on i386) rather than the unicode buffer length, corrupting transformation output. No public exploit code or active exploitation has been identified at time of analysis; the fix is available in v3.0.16.

Authentication Bypass Nginx Apache Modsecurity
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2025-54571 MEDIUM POC PATCH This Week

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Apache XSS Modsecurity Red Hat +1
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-48866 HIGH POC PATCH This Week

ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the `sanitiseArg` and `sanitizeArg` actions that allows unauthenticated remote attackers to cause service disruption by submitting requests with an excessive number of arguments. This is a network-accessible DoS vulnerability with high impact on availability that affects widely-deployed WAF deployments across Apache, IIS, and Nginx platforms.

Apache Denial Of Service Nginx Modsecurity Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-47947 HIGH POC PATCH This Month

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Apache Denial Of Service Modsecurity Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-27110 HIGH POC PATCH This Week

Libmodsecurity is one component of the ModSecurity v3 project. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Modsecurity Red Hat Suse
NVD GitHub
CVSS 4.0
7.9
EPSS
0.1%
CVE-2024-46292 HIGH This Week

A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Modsecurity
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-1019 HIGH PATCH This Week

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Modsecurity
NVD
CVSS 3.1
8.6
EPSS
0.7%
CVE-2023-38285 HIGH This Week

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Modsecurity
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-28882 HIGH This Week

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Modsecurity
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-24021 HIGH PATCH This Week

Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Modsecurity Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-42717 HIGH POC PATCH This Week

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Information Disclosure Modsecurity Nginx Modsecurity Waf Debian Linux +2
NVD
CVSS 3.1
7.5
EPSS
3.2%
CVE-2020-15598 HIGH POC This Week

Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Modsecurity Debian Linux
NVD
CVSS 3.1
7.5
EPSS
3.2%
CVE-2018-13065 MEDIUM POC This Month

ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Modsecurity
NVD GitHub Exploit-DB
CVSS 3.0
6.1
EPSS
1.4%
CVE-2013-5705 MEDIUM POC PATCH This Month

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Modsecurity Debian Linux
NVD GitHub VulDB
CVSS 2.0
5.0
EPSS
0.8%
CVE-2013-2765 MEDIUM POC PATCH This Month

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Apache Null Pointer Dereference Modsecurity Opensuse
NVD GitHub Exploit-DB
CVSS 2.0
5.0
EPSS
5.4%
CVE-2013-1915 HIGH PATCH This Week

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Modsecurity Opensuse Fedora +1
NVD GitHub
CVSS 2.0
7.5
EPSS
4.8%
CVE-2012-4528 MEDIUM POC THREAT This Month

The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 11.5%.

PHP Apache Authentication Bypass Modsecurity Opensuse +1
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
11.5%
CVE-2012-2751 MEDIUM This Month

ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Modsecurity Opensuse Debian Linux Http Server
NVD
CVSS 2.0
4.3
EPSS
1.9%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

WAF filtering bypass in OWASP ModSecurity (libmodsecurity) before 3.0.16 lets remote unauthenticated attackers smuggle malicious payloads past inspection rules by exploiting a multipart/form-data parser differential. The engine silently strips embedded line breaks from non-file form-field values before populating ARGS and ARGS_POST, so any rule whose detection depends on a newline (e.g. command, header, or injection syntax spanning a line break) fails to match while the backend still receives and acts on the intact payload. No public exploit identified at time of analysis, but the CVSS base score of 8.6 reflects a scope-changing integrity impact on every application shielded by an affected deployment.

Information Disclosure Nginx Apache +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

WAF rule bypass in ModSecurity 3.0.0-3.0.15 on i386 architecture allows network-accessible attackers to evade rules that use the t:utf8toUnicode transformation, potentially permitting injection attacks or other malicious payloads to reach protected applications undetected. The root cause is CWE-467 - sizeof() applied to a char pointer in utf8_to_unicode.cc yields the pointer width (4 bytes on i386) rather than the unicode buffer length, corrupting transformation output. No public exploit code or active exploitation has been identified at time of analysis; the fix is available in v3.0.16.

Authentication Bypass Nginx Apache +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Week

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Apache XSS +3
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the `sanitiseArg` and `sanitizeArg` actions that allows unauthenticated remote attackers to cause service disruption by submitting requests with an excessive number of arguments. This is a network-accessible DoS vulnerability with high impact on availability that affects widely-deployed WAF deployments across Apache, IIS, and Nginx platforms.

Apache Denial Of Service Nginx +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Month

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Apache Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 7.9
HIGH POC PATCH This Week

Libmodsecurity is one component of the ModSecurity v3 project. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Modsecurity Red Hat +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Modsecurity
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Modsecurity
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Modsecurity
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Modsecurity
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Modsecurity Debian Linux
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Information Disclosure Modsecurity +4
NVD
EPSS 3% CVSS 7.5
HIGH POC This Week

Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Modsecurity Debian Linux
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Modsecurity
NVD GitHub Exploit-DB
EPSS 1% CVSS 5.0
MEDIUM POC PATCH This Month

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Modsecurity Debian Linux
NVD GitHub VulDB
EPSS 5% CVSS 5.0
MEDIUM POC PATCH This Month

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Apache Null Pointer Dereference +2
NVD GitHub Exploit-DB
EPSS 5% CVSS 7.5
HIGH PATCH This Week

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Denial Of Service XXE Modsecurity +3
NVD GitHub
EPSS 11% CVSS 5.0
MEDIUM POC THREAT This Month

The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 11.5%.

PHP Apache Authentication Bypass +3
NVD Exploit-DB
EPSS 2% CVSS 4.3
MEDIUM This Month

ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Modsecurity Opensuse +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy