9 matches found
CVE-2026-21876
CVE-2026-21876 : The OWASP ModSecurity Core Rule Set (CRS) had a bug in rule 922110 that affects multipart requests. In earlier versions (before 4.22.0 and 3.3.8), when a chain iterates over a collection (e.g., MULTIPART_PART_HEADERS), capture variables TX:0 and TX:1 are overwritten on each itera...
CVE-2022-39956
CVE-2022-39956 affects the OWASP ModSecurity Core Rule Set (CRS) and enables a partial rule set bypass for HTTP multipart requests when a payload uses certain character encoding schemes in Content-Type or Content-Transfer-Encoding headers. The issue impacts legacy CRS versions 3.0.x and 3.1.x, an...
CVE-2022-39958
The CVE-2022-39958 issue affects the OWASP ModSecurity Core Rule Set (CRS) and enables a response-body bypass that can exfiltrate small data portions by repeatedly issuing HTTP Range requests. Affected legacy CRS: 3.0.x, 3.1.x; and currently supported: 3.2.1, 3.3.2. Upgrades are recommended to CR...
CVE-2022-39955
This CVE concerns the OWASP ModSecurity Core Rule Set (CRS) with a partial rule set bypass caused by a specially crafted HTTP Content-Type header that signals multiple charset encodings. A vulnerable backend could bypass CRS Content-Type charset allow lists, allowing an encoded payload to bypass ...
CVE-2022-39957
CVE-2022-39957 affects the OWASP ModSecurity Core Rule Set (CRS). The issue is a response body bypass: a client can send an HTTP Accept header with an optional charset parameter, causing the WAF to deliver a form that may not be decoded correctly, potentially bypassing detection of restricted res...
CVE-2021-35368
CVE-2021-35368 affects OWASP ModSecurity Core Rule Set (CRS) 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 via a Request Body Bypass caused by a trailing pathname. The issue is validated across multiple advisories: GLSA-202305-25 (Gentoo) instructs upgrading to CRS 3.2.2 or 3.3.3...
CVE-2018-16384
CVE-2018-16384 describes a SQL injection bypass in the OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) via a crafted payload {ab}, where a is a function name (e.g., if) and b is the SQL to execute. Public details reference CRS versions up to 3.1.0-rc3, with later advisories noting related...
CVE-2020-22669
CVE-2020-22669 affects the OWASP ModSecurity CRS; a SQL injection bypass exists in ModSecurity CRS versions including 3.2.0 PL1. Reports describe bypass via SQL syntax comments/variable assignments that defeat CRS protections. Debian and Mageia advisories indicate remediation by upgrading CRS to ...
CVE-2026-33691
The CVE-2026-33691 issue affects OWASP CRS prior to versions 3.3.9 and 4.25.0, where whitespace padding in filenames bypasses the file-extension checks for dangerous extensions (.php, .phar, .jsp, .jspx) because the extension regex is not applied after normalizing whitespace. The vulnerability is...