Modsecurity Security Vulnerabilities and Issues — Modsecurity CVE List

Lucene search

OwaspModsecurity

10 matches found

CVE•added 2023/07/26 9:15 p.m.•332 views

CVE-2023-38285

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.

7.5CVSS7.3AI score0.00311EPSS

CVE•added 2023/04/28 4:15 a.m.•322 views

CVE-2023-28882

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.

7.5CVSS7.2AI score0.00059EPSS

CVE•added 2021/12/07 10:15 p.m.•102 views

CVE-2021-42717

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worke...

7.5CVSS7.3AI score0.01628EPSS

CVE•added 2023/01/20 7:15 p.m.•100 views

CVE-2022-48279

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.

7.5CVSS8.4AI score0.00514EPSS

CVE•added 2020/01/21 10:15 p.m.•82 views

CVE-2019-19886

Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc.

7.5CVSS7.2AI score0.04013EPSS

CVE•added 2020/10/06 2:15 p.m.•75 views

CVE-2020-15598

Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial o...

7.5CVSS7.2AI score0.04774EPSS

CVE•added 2025/06/02 4:15 p.m.•70 views

CVE-2025-48866

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The sanitiseArg (and sanitizeArg - this is the same action but an alias) i...

7.5CVSS7.4AI score0.0015EPSS

CVE•added 2024/01/30 4:15 p.m.•50 views

CVE-2024-1019

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string componen...

8.6CVSS8.4AI score0.00314EPSS

CVE•added 2018/07/03 12:29 p.m.•39 views

CVE-2018-13065

ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. NOTE: a third party has disputed this issue because it may only apply to environments without a Core Rule Set configured

6.1CVSS5.9AI score0.00284EPSS

CVE•added 2021/05/06 5:15 p.m.•29 views

CVE-2019-25043

ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.

5.3CVSS5.3AI score0.00382EPSS