CVE-2026-42268

>= 3.0.0 and < 3.0.15

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to befor

7.5HIGH

CVE-2026-30923

< 3.0.15

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is o

7.5HIGH

CVE-2025-54571

>= 2.0.0 and < 2.9.12

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11

6.1MEDIUM

CVE-2025-48866

< 2.9.10

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2

7.5HIGH

CVE-2025-47947

< 2.9.9

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and

7.5HIGH

CVE-2025-27110

all versions

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connecto

7.5HIGH

CVE-2024-46292

all versions

A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the

7.5HIGH

CVE-2024-1019

>= 3.0.0 and < 3.0.12

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted r

8.6HIGH

CVE-2023-38285

>= 3.0.0 and < 3.0.10

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.

7.5HIGH

CVE-2023-28882

>= 3.0.5 and < 3.0.9

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some

7.5HIGH

CVE-2023-24021

< 2.9.7

Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and b

7.5HIGH

CVE-2022-48279

< 2.9.6

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Applica

7.5HIGH

CVE-2021-42717

>= 2.0.0 and < 2.9.5

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep

7.5HIGH

CVE-2019-25043

>= 3.0.0 and < 3.0.4

ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-

5.3MEDIUM

CVE-2020-15598

>= 3.0.0 and <= 3.0.4

Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave ha

7.5HIGH

CVE-2019-19886

>= 3.0.0 and <= 3.0.3

Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes

7.5HIGH

CVE-2019-13464

all versions

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PH

7.5HIGH

CVE-2019-11391

<= 3.1.0

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf all

5.3MEDIUM

CVE-2019-11390

<= 3.1.0

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf all

5.3MEDIUM

CVE-2019-11389

<= 3.1.0

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf all

5.3MEDIUM

CVE-2019-11388

<= 3.1.0

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf all

5.3MEDIUM

CVE-2019-11387

>= 3.0.0 and <= 3.1.0

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf al

5.3MEDIUM

CVE-2018-13065

all versions

ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. NOTE: a third party has disputed this issue because it may o

6.1MEDIUM

CVE-2013-5705

< 2.7.6

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a

CVE-2013-2765

< 2.7.4

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer

CVE-2013-1915

< 2.7.3

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denia

CVE-2012-4528

< 2.7.0

The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary PO

CVE-2012-2751

< 2.6.6

ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter v

CVE-2009-5031

< 2.5.11

ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypa

CVE-2009-1903

< 2.5.8

The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd cras

CVE-2009-1902

< 2.5.9

The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart f

CVE-2008-5676

<= 2.5.0

Multiple unspecified vulnerabilities in the ModSecurity (aka mod_security) module 2.5.0 through 2.5.5 for the Apache HTTP Server,

CVE-2007-1359

all versions

Interpretation conflict in ModSecurity (mod_security) 2.1.0 and earlier allows remote attackers to bypass request rules via applic

CVE-2004-1765

all versions

Off-by-one buffer overflow in ModSecurity (mod_security) 1.7.4 for Apache 2.x, when SecFilterScanPost is enabled, allows remote at

CVE-2003-1171

all versions

Heap-based buffer overflow in the sec_filter_out function in mod_security 1.7RC1 through 1.7.1 in Apache 2 allows remote attackers