SB2026070343 - Multiple vulnerabilities in OWASP ModSecurity Core Rule Set (CRS)



SB2026070343 - Multiple vulnerabilities in OWASP ModSecurity Core Rule Set (CRS)

Published: July 3, 2026

Security Bulletin ID SB2026070343
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Inefficient regular expression complexity (CVE-ID: N/A)

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to cause a denial of service and bypass detection of malicious payloads.

The vulnerability exists due to inefficient regular expression complexity in the unix-shell-evasion regex assembly include and REQUEST-932-APPLICATION-ATTACK-RCE rules when processing a crafted request containing a long whitespace run. A remote attacker can send a specially crafted request to cause a denial of service and bypass detection of malicious payloads.

The issue is triggered when PCRE2 exceeds its backtracking limit, causing the affected rule evaluation to return an error instead of a match result. Coraza deployments using RE2 are not affected.


2) Improper Neutralization of Special Elements (CVE-ID: N/A)

CWE-ID: CWE-138 - Improper Neutralization of Special Elements

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass detection of malicious payloads in XML attribute values.

The vulnerability exists due to improper neutralization of special elements in XML request body inspection rules when processing XML request bodies. A remote attacker can place an attack payload inside an XML attribute to bypass detection of malicious payloads in XML attribute values.

The issue affects rule families 921, 930, 931, 932, 933, 934, 941, 942, and 943 at every paranoia level, while the 944 Java family is unaffected.


Remediation

Install update from vendor's website.