Bug 2499232 (CVE-2026-52747) - CVE-2026-52747 ModSecurity: ModSecurity: Security rule bypass due to incorrect handling of line breaks in form data
Summary: CVE-2026-52747 ModSecurity: ModSecurity: Security rule bypass due to incorrec...
Keywords:
Status: NEW
Alias: CVE-2026-52747
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2499335 2499336 2499337 2499338
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-10 22:01 UTC by OSIDB Bzimport
Modified: 2026-07-11 07:44 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-10 22:01:17 UTC
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and ARGS_POST because src/request_body_processor/multipart.cc overwrites reserved bytes in m_reserve instead of appending the current buffer. This creates a parser differential between ModSecurity and backend applications that preserve line breaks in form fields, allowing rules that inspect ARGS or ARGS_POST to miss payloads whose dangerous syntax depends on a line break. This issue is fixed in version 3.0.16.


Note You need to log in before you can comment on or make changes to this bug.