CVE-2026-52747

Public on 2026-07-10
Modified on 2026-07-15
Description
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and ARGS_POST because src/request_body_processor/multipart.cc overwrites reserved bytes in m_reserve instead of appending the current buffer. This creates a parser differential between ModSecurity and backend applications that preserve line breaks in form fields, allowing rules that inspect ARGS or ARGS_POST to miss payloads whose dangerous syntax depends on a line break. This issue is fixed in version 3.0.16.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
8.6
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core mod_security Not Affected
Amazon Linux 2023 mod_security Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
NVD CVSSv3 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N