Owasp Owasp Modsecurity Core Rule Set — known CVE vulnerabilities
Every CVE whose affected-product data names Owasp Owasp Modsecurity Core Rule Set, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (9)
CVE-2021-35368 — CVSS 9.8 (critical): OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a…
CVE-2020-22669 — CVSS 9.8 (critical): Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment…
CVE-2026-21876 — CVSS 9.3 (critical): The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to…
CVE-2022-39958 — CVSS 7.5 (high): The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections…
CVE-2018-16384 — CVSS 7.5 (high): A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b}…
CVE-2022-39956 — CVSS 7.3 (high): The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that…
CVE-2022-39955 — CVSS 7.3 (high): The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type…
CVE-2022-39957 — CVSS 7.3 (high): The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing…
CVE-2026-33691 — CVSS 6.8 (medium): The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to…