Every CVE whose affected-product data names Owasp Modsecurity, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (13)
CVE-2024-1019 — CVSS 8.6 (high): ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request…
CVE-2019-19886 — CVSS 7.5 (high): Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to…
CVE-2020-15598 — CVSS 7.5 (high): Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has…
CVE-2021-42717 — CVSS 7.5 (high): ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could…
CVE-2022-48279 — CVSS 7.5 (high): In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application…
CVE-2023-28882 — CVSS 7.5 (high): Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs…
CVE-2026-42268 — CVSS 7.5 (high): ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15…
CVE-2025-48866 — CVSS 7.5 (high): ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10…
CVE-2026-30923 — CVSS 7.5 (high): ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one…
CVE-2025-54571 — CVSS 6.1 (medium): ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and…
CVE-2018-13065 — CVSS 6.1 (medium): ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. NOTE: a third party has disputed this issue because it may only apply…
CVE-2019-25043 — CVSS 5.3 (medium): ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process…