VYPR

Modsecurity

by Trustwave

Source repositories

CVEs (30)

  • CVE-2026-42268HigMay 12, 2026
    risk 0.42cvss 7.5epss 0.00

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator)…

  • CVE-2026-30923HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string…

  • CVE-2018-13065MedJul 3, 2018
    risk 0.40cvss 6.1epss 0.01

    ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. NOTE: a third party has disputed this issue because it may only apply to environments without a Core Rule Set configured

  • CVE-2025-52891MedJul 2, 2025
    risk 0.35cvss 6.5epss 0.00

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is…

  • CVE-2012-4528Dec 28, 2012
    risk 0.04cvss epss 0.13

    The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.

  • CVE-2009-1902Jun 3, 2009
    risk 0.04cvss epss 0.14

    The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.

  • CVE-2007-1359Mar 8, 2007
    risk 0.04cvss epss 0.07

    Interpretation conflict in ModSecurity (mod_security) 2.1.0 and earlier allows remote attackers to bypass request rules via application/x-www-form-urlencoded POST data that contains an ASCIIZ (0x00) byte, which mod_security treats as a terminator even though it is still…

  • CVE-2025-54571Aug 5, 2025
    risk 0.00cvss epss 0.00

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For…

  • CVE-2025-48866Jun 2, 2025
    risk 0.00cvss epss 0.01

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the…

  • CVE-2025-47947May 21, 2025
    risk 0.00cvss epss 0.01

    ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is…

  • CVE-2025-27110Feb 25, 2025
    risk 0.00cvss epss 0.00

    Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in…

  • CVE-2024-46292Oct 9, 2024
    risk 0.00cvss epss 0.01

    A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not…

  • CVE-2024-1019Jan 30, 2024
    risk 0.00cvss epss 0.01

    ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional…

  • CVE-2023-38285Jul 26, 2023
    risk 0.00cvss epss 0.01

    Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.

  • CVE-2023-28882Apr 28, 2023
    risk 0.00cvss epss 0.01

    Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.

  • CVE-2023-24021Jan 20, 2023
    risk 0.00cvss epss 0.01

    Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection.

  • CVE-2022-48279Jan 20, 2023
    risk 0.00cvss epss 0.01

    In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.

  • CVE-2021-42717Dec 7, 2021
    risk 0.00cvss epss 0.03

    ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the…

  • CVE-2019-25043May 6, 2021
    risk 0.00cvss epss 0.01

    ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.

  • CVE-2020-15598Oct 6, 2020
    risk 0.00cvss epss 0.03

    Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can…

Page 1 of 2