How many CVEs does owasp owasp modsecurity core rule set have?

owasp owasp modsecurity core rule set has 9 published CVE records since 2018.

How many owasp owasp modsecurity core rule set CVEs are in CISA KEV?

None of owasp owasp modsecurity core rule set's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Are there public exploits for owasp owasp modsecurity core rule set vulnerabilities?

Yes — 1 of owasp owasp modsecurity core rule set's CVEs have a known public exploit.

Which versions of owasp owasp modsecurity core rule set are affected?

21 distinct owasp owasp modsecurity core rule set versions are named across its CVEs. Use the version filter above to see the CVEs affecting a specific version.

What are the most common weakness types in owasp owasp modsecurity core rule set CVEs?

owasp owasp modsecurity core rule set's CVEs most often map to these CWE weakness types: CWE-863 (Incorrect Authorization), CWE-178 (Improper Handling of Case Sensitivity), CWE-693 (Protection Mechanism Failure), CWE-794 (Incomplete Filtering of Multiple Instances of Special Elements).

How many critical owasp owasp modsecurity core rule set vulnerabilities are there?

owasp owasp modsecurity core rule set has 1 critical and 4 high-severity CVEs.

What is the average severity of owasp owasp modsecurity core rule set CVEs?

The average CVSS base score across owasp owasp modsecurity core rule set's scored CVEs is 7.6.

owasp modsecurity core rule set Vulnerabilities: CVEs, CISA KEV & Security Advisories

Severity and exploitation

How the CVSS severity of owasp modsecurity core rule set's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical1

High4

Medium1

Low0

3 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

None of owasp modsecurity core rule set's CVEs are currently listed in CISA's KEV catalog.

Public exploits

One of owasp modsecurity core rule set's CVEs has a known public exploit available.

Affected versions and CVEs

Browse every owasp modsecurity core rule set version named in a CVE, then pick one to see only the CVEs that affect it.

Version ranges

3.0.0 <= v < 3.2.24 CVEs
3.3.0 <= v < 3.3.34 CVEs
< 3.3.81 CVE
< 3.3.91 CVE
<= 3.0.21 CVE
3.1.0 <= v < 3.1.21 CVE
3.1.0 <= v <= 3.1.01 CVE
3.2.0 <= v < 3.2.11 CVE
3.2.0 <= v <= 3.2.01 CVE
3.3.0 <= v < 3.3.21 CVE
4.0.0 <= v < 4.22.01 CVE
4.0.0 <= v < 4.25.01 CVE

Fixed in

3.2.24 CVEs
3.3.34 CVEs
3.1.21 CVE
3.2.11 CVE
3.3.21 CVE
3.3.81 CVE
3.3.91 CVE
4.22.01 CVE
4.25.01 CVE

Find a version

9 CVEs

Sort

OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks
CVE-2026-33691
Patch
CWE-178
Medium · CVSS 6.8
EPSS 0.0% (10th pct)2026-04-02
OWASP CRS has multipart bypass using multiple content-type parts
CVE-2026-21876
Public exploit
Patch
CWE-794
Critical · CVSS 9.3
EPSS 3.4% (88th pct)2026-01-08
Response body bypass in OWASP ModSecurity Core Rule Set via repeated HTTP Range header submission with a small byte range
CVE-2022-39958
Patch
CWE-863
High · CVSS 7.5
EPSS 0.6% (69th pct)2022-09-20
Response body bypass in OWASP ModSecurity Core Rule Set via a specialy crafted charset in the HTTP Accept header
CVE-2022-39957
Patch
CWE-693
High · CVSS 7.3
EPSS 0.9% (76th pct)2022-09-20
Partial rule set bypass in OWASP ModSecurity Core Rule Set for HTTP multipart requests using character encoding in the Content-Type or Content-Transfer-Encoding header
CVE-2022-39956
Patch
CWE-863
High · CVSS 7.3
EPSS 0.1% (31th pct)2022-09-20
Partial rule set bypass in OWASP ModSecurity Core Rule Set by submitting a specially crafted HTTP Content-Type header
CVE-2022-39955
Patch
CWE-863
High · CVSS 7.3
EPSS 0.8% (74th pct)2022-09-20
Vulnerability · 2022-09-02
CVE-2020-22669
Unscored
EPSS 0.3% (50th pct)2022-09-02
Vulnerability · 2021-11-05
CVE-2021-35368
Patch
Unscored
EPSS 0.3% (54th pct)2021-11-05
Vulnerability · 2018-09-03
CVE-2018-16384
Unscored
EPSS 0.3% (50th pct)2018-09-03

Severity and exploitation

Affected versions and CVEs

Version ranges

Fixed in

owasp modsecurity core rule set Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Version ranges

Fixed in

Common weakness types

Disclosure activity by year

Other owasp products

Frequently asked questions

How many CVEs does owasp owasp modsecurity core rule set have?

How many owasp owasp modsecurity core rule set CVEs are in CISA KEV?

Are there public exploits for owasp owasp modsecurity core rule set vulnerabilities?

Which versions of owasp owasp modsecurity core rule set are affected?

What are the most common weakness types in owasp owasp modsecurity core rule set CVEs?

How many critical owasp owasp modsecurity core rule set vulnerabilities are there?

What is the average severity of owasp owasp modsecurity core rule set CVEs?

References

Track owasp modsecurity core rule set vulnerabilities