Source: modsecurity Version: 3.0.15-1 Severity: important Tags: upstream X-Debbugs-Cc: [email protected]
Hi, The following vulnerabilities were published for modsecurity. CVE-2026-52747[0]: | ModSecurity is an open source, cross platform web application | firewall (WAF) engine for Apache, IIS and Nginx. Prior to 3.0.16, | the multipart/form-data request body parser in libmodsecurity | silently removes embedded line breaks from non-file form-field | values before exporting them to ARGS and ARGS_POST because | src/request_body_processor/multipart.cc overwrites reserved bytes in | m_reserve instead of appending the current buffer. This creates a | parser differential between ModSecurity and backend applications | that preserve line breaks in form fields, allowing rules that | inspect ARGS or ARGS_POST to miss payloads whose dangerous syntax | depends on a line break. This issue is fixed in version 3.0.16. CVE-2026-52761[1]: | ModSecurity is an open source, cross platform web application | firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 through | 3.0.15, the t:utf8toUnicode transformation in | src/actions/transformations/utf8_to_unicode.cc produces wrong output | on i386 architecture because snprintf uses sizeof on a char pointer | rather than the length of the unicode buffer, allowing rules that | use this transformation to be bypassed on i386 architecture. This | issue is fixed in version 3.0.16. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-52747 https://www.cve.org/CVERecord?id=CVE-2026-52747 https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-rcw9-2f5r-7p88 [1] https://security-tracker.debian.org/tracker/CVE-2026-52761 https://www.cve.org/CVERecord?id=CVE-2026-52761 https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qjgm-7gp4-f8qq Please adjust the affected versions in the BTS as needed. Regards, Salvatore

