Source: modsecurity
Version: 3.0.15-1
Severity: important
Tags: upstream
X-Debbugs-Cc: [email protected]

Hi,

The following vulnerabilities were published for modsecurity.

CVE-2026-52747[0]:
| ModSecurity is an open source, cross platform web application
| firewall (WAF) engine for Apache, IIS and Nginx. Prior to 3.0.16,
| the multipart/form-data request body parser in libmodsecurity
| silently removes embedded line breaks from non-file form-field
| values before exporting them to ARGS and ARGS_POST because
| src/request_body_processor/multipart.cc overwrites reserved bytes in
| m_reserve instead of appending the current buffer. This creates a
| parser differential between ModSecurity and backend applications
| that preserve line breaks in form fields, allowing rules that
| inspect ARGS or ARGS_POST to miss payloads whose dangerous syntax
| depends on a line break. This issue is fixed in version 3.0.16.


CVE-2026-52761[1]:
| ModSecurity is an open source, cross platform web application
| firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 through
| 3.0.15, the t:utf8toUnicode transformation in
| src/actions/transformations/utf8_to_unicode.cc produces wrong output
| on i386 architecture because snprintf uses sizeof on a char pointer
| rather than the length of the unicode buffer, allowing rules that
| use this transformation to be bypassed on i386 architecture. This
| issue is fixed in version 3.0.16.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-52747
    https://www.cve.org/CVERecord?id=CVE-2026-52747
    
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-rcw9-2f5r-7p88
[1] https://security-tracker.debian.org/tracker/CVE-2026-52761
    https://www.cve.org/CVERecord?id=CVE-2026-52761
    
https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qjgm-7gp4-f8qq

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to