Owasp

Modsecurity

13 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2026-42268

Exploit
  • EPSS 0.04%
  • Veröffentlicht 12.05.2026 21:40:19
  • Zuletzt bearbeitet 14.05.2026 14:49:57

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if...

7.5

CVE-2026-30923

Exploit
  • EPSS 0.05%
  • Veröffentlicht 05.05.2026 18:46:03
  • Zuletzt bearbeitet 07.05.2026 13:41:10

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation...

6.1

CVE-2025-54571

Exploit
  • EPSS 0.1%
  • Veröffentlicht 05.08.2025 23:39:40
  • Zuletzt bearbeitet 03.11.2025 19:16:11

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on th...

7.5

CVE-2025-48866

Exploit
  • EPSS 1.07%
  • Veröffentlicht 02.06.2025 15:46:19
  • Zuletzt bearbeitet 02.07.2025 18:11:34

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `s...

8.6

CVE-2024-1019

  • EPSS 0.31%
  • Veröffentlicht 30.01.2024 16:15:47
  • Zuletzt bearbeitet 03.07.2025 20:59:18

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path ...

7.5

CVE-2023-38285

  • EPSS 0.56%
  • Veröffentlicht 26.07.2023 21:15:10
  • Zuletzt bearbeitet 03.07.2025 20:59:18

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.

7.5

CVE-2023-28882

  • EPSS 0.12%
  • Veröffentlicht 28.04.2023 04:15:38
  • Zuletzt bearbeitet 03.07.2025 20:59:18

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.

7.5

CVE-2022-48279

  • EPSS 0.65%
  • Veröffentlicht 20.01.2023 19:15:17
  • Zuletzt bearbeitet 03.07.2025 20:59:18

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C l...

7.5

CVE-2021-42717

Exploit
  • EPSS 2.04%
  • Veröffentlicht 07.12.2021 22:15:06
  • Zuletzt bearbeitet 03.07.2025 20:59:18

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP ...

5.3

CVE-2019-25043

Exploit
  • EPSS 0.38%
  • Veröffentlicht 06.05.2021 17:15:07
  • Zuletzt bearbeitet 03.07.2025 20:59:18

ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.