Lucene search
+L
OwaspOwasp Modsecurity Core Rule Set

9 matches found

CVE
CVE
added 2026/01/08 1:55 p.m.194 views

CVE-2026-21876

CVE-2026-21876 : The OWASP ModSecurity Core Rule Set (CRS) had a bug in rule 922110 that affects multipart requests. In earlier versions (before 4.22.0 and 3.3.8), when a chain iterates over a collection (e.g., MULTIPART_PART_HEADERS), capture variables TX:0 and TX:1 are overwritten on each itera...

9.3CVSS6.5AI score0.13124EPSS
Web
CVE
CVE
added 2022/09/20 12:0 a.m.151 views

CVE-2022-39956

CVE-2022-39956 affects the OWASP ModSecurity Core Rule Set (CRS) and enables a partial rule set bypass for HTTP multipart requests when a payload uses certain character encoding schemes in Content-Type or Content-Transfer-Encoding headers. The issue impacts legacy CRS versions 3.0.x and 3.1.x, an...

9.8CVSS8.6AI score0.00952EPSS
CVE
CVE
added 2022/09/20 12:0 a.m.113 views

CVE-2022-39958

The CVE-2022-39958 issue affects the OWASP ModSecurity Core Rule Set (CRS) and enables a response-body bypass that can exfiltrate small data portions by repeatedly issuing HTTP Range requests. Affected legacy CRS: 3.0.x, 3.1.x; and currently supported: 3.2.1, 3.3.2. Upgrades are recommended to CR...

7.5CVSS7.9AI score0.00953EPSS
CVE
CVE
added 2022/09/20 12:0 a.m.111 views

CVE-2022-39955

This CVE concerns the OWASP ModSecurity Core Rule Set (CRS) with a partial rule set bypass caused by a specially crafted HTTP Content-Type header that signals multiple charset encodings. A vulnerable backend could bypass CRS Content-Type charset allow lists, allowing an encoded payload to bypass ...

9.8CVSS8AI score0.01115EPSS
CVE
CVE
added 2022/09/20 12:0 a.m.94 views

CVE-2022-39957

CVE-2022-39957 affects the OWASP ModSecurity Core Rule Set (CRS). The issue is a response body bypass: a client can send an HTTP Accept header with an optional charset parameter, causing the WAF to deliver a form that may not be decoded correctly, potentially bypassing detection of restricted res...

7.5CVSS7.6AI score0.00771EPSS
CVE
CVE
added 2021/11/05 12:0 a.m.88 views

CVE-2021-35368

CVE-2021-35368 affects OWASP ModSecurity Core Rule Set (CRS) 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 via a Request Body Bypass caused by a trailing pathname. The issue is validated across multiple advisories: GLSA-202305-25 (Gentoo) instructs upgrading to CRS 3.2.2 or 3.3.3...

9.8CVSS9.2AI score0.02542EPSS
CVE
CVE
added 2018/09/03 12:0 a.m.82 views

CVE-2018-16384

CVE-2018-16384 describes a SQL injection bypass in the OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) via a crafted payload {ab}, where a is a function name (e.g., if) and b is the SQL to execute. Public details reference CRS versions up to 3.1.0-rc3, with later advisories noting related...

7.5CVSS8.2AI score0.01672EPSS
CVE
CVE
added 2022/09/02 12:0 a.m.75 views

CVE-2020-22669

CVE-2020-22669 affects the OWASP ModSecurity CRS; a SQL injection bypass exists in ModSecurity CRS versions including 3.2.0 PL1. Reports describe bypass via SQL syntax comments/variable assignments that defeat CRS protections. Debian and Mageia advisories indicate remediation by upgrading CRS to ...

9.8CVSS9.6AI score0.01029EPSS
CVE
CVE
added 2026/04/02 3:3 p.m.47 views

CVE-2026-33691

The CVE-2026-33691 issue affects OWASP CRS prior to versions 3.3.9 and 4.25.0, where whitespace padding in filenames bypasses the file-extension checks for dangerous extensions (.php, .phar, .jsp, .jspx) because the extension regex is not applied after normalizing whitespace. The vulnerability is...

7.5CVSS5.7AI score0.02172EPSS