CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54571 – ModSecurity's Insufficient Return Value Handling can Lead to XSS and Source Code Disclosure
https://notcve.org/view.php?id=CVE-2025-54571
05 Aug 2025 — ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12. ModSecurity es un motor de firewall de aplicaciones web (WAF) mult... • https://github.com/owasp-modsecurity/ModSecurity/commit/6d7e8eb18f2d7d368fb8e29516fcdeaeb8d349b8 • CWE-252: Unchecked Return Value •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52891 – ModSecurity empty XML tag causes segmentation fault
https://notcve.org/view.php?id=CVE-2025-52891
02 Jul 2025 — ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off. • https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-gw9c-4wfm-vj3x • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48866 – ModSecurity has possible DoS vulnerability in sanitiseArg action
https://notcve.org/view.php?id=CVE-2025-48866
02 Jun 2025 — ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg... • https://github.com/owasp-modsecurity/ModSecurity/commit/3a54ccea62d3f7151bb08cb78d60c5e90b53ca2e • CWE-1050: Excessive Platform Resource Consumption within a Loop •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47947 – ModSecurity Has Possible DoS Vulnerability
https://notcve.org/view.php?id=CVE-2025-47947
21 May 2025 — ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available. A flaw was found in the mod_s... • https://github.com/owasp-modsecurity/ModSecurity/pull/3389 • CWE-1050: Excessive Platform Resource Consumption within a Loop •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27110 – Libmodsecurity3 has possible bypass of encoded HTML entities
https://notcve.org/view.php?id=CVE-2025-27110
25 Feb 2025 — Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available. • https://github.com/owasp-modsecurity/ModSecurity/issues/3340 • CWE-172: Encoding Error •