TL;DR
The OWASP ModSecurity team patched two ModSecurity vulnerabilities in version 3.0.16. Both let attackers slip payloads past WAF rules. Neither causes memory corruption or crashes. No exploitation in the wild has been confirmed.
Why It Matters
ModSecurity guards countless web apps on Apache, Nginx, and IIS. It ranks among the most deployed WAF engines online. So the reach of these bugs is broad. Furthermore, a rule bypass weakens a core defense layer. The higher-rated bug affects the default, recommended setup. As a result, many deployments could inspect the wrong request data. These ModSecurity vulnerabilities undermine trust in the firewall’s verdict.
How the Attacks Work
Multipart parser bypass (CVE-2026-52747)
The multipart/form-data parser removes embedded line breaks from field values. So a value split across two lines reaches the rules as one joined string. Meanwhile, the backend app may keep that line break. This gap hides payloads that depend on the break. The strict multipart checks also stay silent, so operators get no warning. Multiline injection vectors and delimiter-based signatures are most at risk. It rates CVSS 8.6.
Transformation flaw (CVE-2026-52761)
The t:utf8toUnicode transformation returns wrong output on i386. So rules that rely on it can be evaded on that architecture. Deployments on modern 64-bit servers stay unaffected. It rates CVSS 5.8.
Affected Versions
Both flaws affect ModSecurity v3.0.15 and earlier. The i386 bug reaches back to v3.0.0. Version 3.0.16 fixes both issues.
Patch and Mitigation
Upgrade to ModSecurity v3.0.16 without delay. You can read the details in the OWASP security advisories. Then grab the fixed build from the v3.0.16 release page. For the i386 issue, the team also suggests moving off that architecture. Finally, review your multipart rules after you update. Also confirm your build reports version 3.0.16 or later.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.