How many CVEs does owasp modsecurity have?

owasp modsecurity has 13 published CVE records since 2018.

How many owasp modsecurity CVEs are in CISA KEV?

None of owasp modsecurity's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Which versions of owasp modsecurity are affected?

22 distinct owasp modsecurity versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in owasp modsecurity CVEs?

owasp modsecurity's CVEs most often map to these CWE weakness types: CWE-1050 (Excessive Platform Resource Consumption within a Loop), CWE-125 (Out-of-bounds Read), CWE-20 (Improper Input Validation), CWE-248 (Uncaught Exception).

What is the average severity of owasp modsecurity CVEs?

The average CVSS base score across owasp modsecurity's scored CVEs is 7.8.

owasp modsecurity Vulnerabilities: CVEs, CISA KEV & Security Advisories

Severity and exploitation

How the CVSS severity of owasp modsecurity's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical0

High6

Medium1

Low0

6 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

None of owasp modsecurity's CVEs are currently listed in CISA's KEV catalog.

Public exploits

6 of owasp modsecurity's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every owasp modsecurity version named in a CVE, then pick one to see only the CVEs that affect it.

Version ranges

< 2.9.101 CVE
< 3.0.151 CVE
2.0.0 <= v < 2.9.121 CVE
3.0.0 <= v < 3.0.101 CVE
3.0.0 <= v < 3.0.121 CVE
3.0.0 <= v < 3.0.151 CVE
3.0.0 <= v < 3.0.41 CVE
3.0.0 <= v < 3.0.61 CVE
3.0.0 <= v < 3.0.81 CVE
3.0.0 <= v <= 3.0.01 CVE
3.0.0 <= v <= 3.0.31 CVE
3.0.0 <= v <= 3.0.41 CVE
3.0.5 <= v < 3.0.91 CVE

Fixed in

3.0.152 CVEs
2.9.101 CVE
2.9.121 CVE
3.0.101 CVE
3.0.121 CVE
3.0.41 CVE
3.0.61 CVE
3.0.81 CVE
3.0.91 CVE

Find a version

13 CVEs

Sort

ModSecurity: Unsigned integer underflow in @verifySSN / @verifyCPF / @verifySVNR operators
CVE-2026-42268
Public exploit
Patch
CWE-248
High · CVSS 8.2
EPSS 0.1% (17th pct)2026-05-12
libModSecurity3 denial of service via segfault when using t:hexDecode on single-character query strings
CVE-2026-30923
Public exploit
Patch
CWE-125
High · CVSS 8.2
EPSS 0.1% (18th pct)2026-05-05
ModSecurity's Insufficient Return Value Handling can Lead to XSS and Source Code Disclosure
CVE-2025-54571
Public exploit
Patch
CWE-252
Medium · CVSS 6.9
EPSS 0.3% (54th pct)2025-08-05
ModSecurity has possible DoS vulnerability in sanitiseArg action
CVE-2025-48866
Public exploit
Patch
CWE-1050
High · CVSS 7.5
EPSS 1.1% (78th pct)2025-06-02
WAF bypass of the ModSecurity v3 release line
CVE-2024-1019
Patch
Workaround
CWE-20
High · CVSS 8.6
EPSS 0.3% (54th pct)2024-01-30
Vulnerability · 2023-07-26
CVE-2023-38285
Patch
Unscored
EPSS 0.6% (70th pct)2023-07-26
High vulnerability · 2023-04-28
CVE-2023-28882
Patch
CWE-770
High · CVSS 7.5
EPSS 0.1% (30th pct)2023-04-28
High vulnerability · 2023-01-20
CVE-2022-48279
Patch
CWE-436
High · CVSS 7.5
EPSS 0.9% (76th pct)2023-01-20
Vulnerability · 2021-12-07
CVE-2021-42717
Patch
Unscored
EPSS 2.0% (84th pct)2021-12-07
Vulnerability · 2021-05-06
CVE-2019-25043
Patch
Unscored
EPSS 0.4% (60th pct)2021-05-06
Vulnerability · 2020-10-06
CVE-2020-15598
Public exploit
Patch
Unscored
EPSS 3.8% (88th pct)2020-10-06
Vulnerability · 2020-01-21
CVE-2019-19886
Unscored
EPSS 4.0% (89th pct)2020-01-21
Vulnerability · 2018-07-03
CVE-2018-13065
Public exploit
Unscored
EPSS 0.3% (52th pct)2018-07-03

Severity and exploitation

Affected versions and CVEs

Version ranges

Fixed in

owasp modsecurity Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Version ranges

Fixed in

Common weakness types

Disclosure activity by year

Other owasp products

Frequently asked questions

How many CVEs does owasp modsecurity have?

How many owasp modsecurity CVEs are in CISA KEV?

Are there public exploits for owasp modsecurity vulnerabilities?

Which versions of owasp modsecurity are affected?

What are the most common weakness types in owasp modsecurity CVEs?

What is the average severity of owasp modsecurity CVEs?

References

Track owasp modsecurity vulnerabilities