Improper Neutralization of Special Elements in OWASP ModSecurity Core Rule Set (CRS) - #VU136863

 

Improper Neutralization of Special Elements in OWASP ModSecurity Core Rule Set (CRS) - #VU136863

Published: July 3, 2026


Vulnerability identifier: #VU136863
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-138
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OWASP
Affected software:
OWASP ModSecurity Core Rule Set (CRS)

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass detection of malicious payloads in XML attribute values.

The vulnerability exists due to improper neutralization of special elements in XML request body inspection rules when processing XML request bodies. A remote attacker can place an attack payload inside an XML attribute to bypass detection of malicious payloads in XML attribute values.

The issue affects rule families 921, 930, 931, 932, 933, 934, 941, 942, and 943 at every paranoia level, while the 944 Java family is unaffected.


Remediation

Install security update from vendor's website.

Sources