Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/modsecurity-crs@3.1.0-1%2Bdeb10u2
Typedeb
Namespacedebian
Namemodsecurity-crs
Version3.1.0-1+deb10u2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.3.4-1+deb12u3
Latest_non_vulnerable_version3.3.4-1+deb12u3
Affected_by_vulnerabilities
0
url VCID-1waf-9gu9-c3ah
vulnerability_id VCID-1waf-9gu9-c3ah
summary The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39957.json
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39957.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-39957
reference_id
reference_type
scores
0
value 0.00903
scoring_system epss
scoring_elements 0.76082
published_at 2026-06-04T12:55:00Z
1
value 0.00903
scoring_system epss
scoring_elements 0.76112
published_at 2026-06-09T12:55:00Z
2
value 0.00903
scoring_system epss
scoring_elements 0.76107
published_at 2026-06-06T12:55:00Z
3
value 0.00903
scoring_system epss
scoring_elements 0.76099
published_at 2026-06-07T12:55:00Z
4
value 0.00903
scoring_system epss
scoring_elements 0.76087
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-39957
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39957
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39957
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137
reference_id 1021137
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2131319
reference_id 2131319
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2131319
6
reference_url https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
reference_id crs-version-3-3-3-and-3-2-2-covering-several-cves
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/
url https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
7
reference_url https://security.gentoo.org/glsa/202305-25
reference_id GLSA-202305-25
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/
url https://security.gentoo.org/glsa/202305-25
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
reference_id HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
9
reference_url https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
reference_id msg00033.html
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/
url https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
reference_id PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
reference_id YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:57Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
purl pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3
aliases CVE-2022-39957
risk_score 3.3
exploitability 0.5
weighted_severity 6.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1waf-9gu9-c3ah
1
url VCID-5nu2-g227-eufq
vulnerability_id VCID-5nu2-g227-eufq
summary Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-22669
reference_id
reference_type
scores
0
value 0.00261
scoring_system epss
scoring_elements 0.49684
published_at 2026-06-04T12:55:00Z
1
value 0.00261
scoring_system epss
scoring_elements 0.49748
published_at 2026-06-05T12:55:00Z
2
value 0.00261
scoring_system epss
scoring_elements 0.49757
published_at 2026-06-06T12:55:00Z
3
value 0.00261
scoring_system epss
scoring_elements 0.4974
published_at 2026-06-07T12:55:00Z
4
value 0.00261
scoring_system epss
scoring_elements 0.49711
published_at 2026-06-08T12:55:00Z
5
value 0.00261
scoring_system epss
scoring_elements 0.49727
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-22669
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22669
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22669
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
purl pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3
aliases CVE-2020-22669
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5nu2-g227-eufq
2
url VCID-6uwm-p2bt-zqan
vulnerability_id VCID-6uwm-p2bt-zqan
summary A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-16384
reference_id
reference_type
scores
0
value 0.0026
scoring_system epss
scoring_elements 0.49618
published_at 2026-06-04T12:55:00Z
1
value 0.0026
scoring_system epss
scoring_elements 0.49682
published_at 2026-06-05T12:55:00Z
2
value 0.0026
scoring_system epss
scoring_elements 0.49692
published_at 2026-06-06T12:55:00Z
3
value 0.0026
scoring_system epss
scoring_elements 0.49674
published_at 2026-06-07T12:55:00Z
4
value 0.0026
scoring_system epss
scoring_elements 0.49645
published_at 2026-06-08T12:55:00Z
5
value 0.0026
scoring_system epss
scoring_elements 0.4966
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-16384
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16384
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16384
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924352
reference_id 924352
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924352
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1
purl pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1waf-9gu9-c3ah
1
vulnerability VCID-5nu2-g227-eufq
2
vulnerability VCID-8ynf-c717-wkd9
3
vulnerability VCID-9gcu-vd8q-buan
4
vulnerability VCID-dzcy-8rqk-6fd8
5
vulnerability VCID-fd1y-9r47-t3ec
6
vulnerability VCID-h62t-9dbx-tkcv
7
vulnerability VCID-pmxc-ce56-e7bz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.0-1%252Bdeb11u1
aliases CVE-2018-16384
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6uwm-p2bt-zqan
3
url VCID-8ynf-c717-wkd9
vulnerability_id VCID-8ynf-c717-wkd9
summary The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39958.json
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39958.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-39958
reference_id
reference_type
scores
0
value 0.00571
scoring_system epss
scoring_elements 0.68989
published_at 2026-06-04T12:55:00Z
1
value 0.00571
scoring_system epss
scoring_elements 0.69036
published_at 2026-06-09T12:55:00Z
2
value 0.00571
scoring_system epss
scoring_elements 0.69028
published_at 2026-06-05T12:55:00Z
3
value 0.00571
scoring_system epss
scoring_elements 0.69038
published_at 2026-06-06T12:55:00Z
4
value 0.00571
scoring_system epss
scoring_elements 0.69031
published_at 2026-06-07T12:55:00Z
5
value 0.00571
scoring_system epss
scoring_elements 0.69015
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-39958
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39958
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39958
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137
reference_id 1021137
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2131321
reference_id 2131321
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2131321
6
reference_url https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
reference_id crs-version-3-3-3-and-3-2-2-covering-several-cves
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/
url https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
7
reference_url https://security.gentoo.org/glsa/202305-25
reference_id GLSA-202305-25
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/
url https://security.gentoo.org/glsa/202305-25
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
reference_id HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
9
reference_url https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
reference_id msg00033.html
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/
url https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
reference_id PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
reference_id YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:43:25Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
purl pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3
aliases CVE-2022-39958
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8ynf-c717-wkd9
4
url VCID-9gcu-vd8q-buan
vulnerability_id VCID-9gcu-vd8q-buan
summary The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-21876
reference_id
reference_type
scores
0
value 0.03371
scoring_system epss
scoring_elements 0.87606
published_at 2026-06-05T12:55:00Z
1
value 0.03371
scoring_system epss
scoring_elements 0.87615
published_at 2026-06-09T12:55:00Z
2
value 0.03371
scoring_system epss
scoring_elements 0.87603
published_at 2026-06-08T12:55:00Z
3
value 0.03371
scoring_system epss
scoring_elements 0.87604
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-21876
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21876
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21876
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125084
reference_id 1125084
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125084
3
reference_url https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83
reference_id 80d80473abf71bd49bf6d3c1ab221e3c74e4eb83
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:52:48Z/
url https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83
4
reference_url https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6
reference_id 9917985de09a6cf38b3261faf9105e909d67a7d6
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:52:48Z/
url https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6
5
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52558.py
reference_id CVE-2026-21876
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52558.py
6
reference_url https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5
reference_id GHSA-36fv-25j3-r2c5
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:52:48Z/
url https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5
7
reference_url https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8
reference_id v3.3.8
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:52:48Z/
url https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8
8
reference_url https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0
reference_id v4.22.0
reference_type
scores
0
value 9.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:52:48Z/
url https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
purl pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3
aliases CVE-2026-21876
risk_score 10.0
exploitability 2.0
weighted_severity 8.4
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9gcu-vd8q-buan
5
url VCID-dzcy-8rqk-6fd8
vulnerability_id VCID-dzcy-8rqk-6fd8
summary coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-38199
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.12289
published_at 2026-06-06T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12253
published_at 2026-06-07T12:55:00Z
2
value 0.0004
scoring_system epss
scoring_elements 0.12172
published_at 2026-06-08T12:55:00Z
3
value 0.0004
scoring_system epss
scoring_elements 0.12184
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-38199
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38199
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38199
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041109
reference_id 1041109
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041109
3
reference_url https://github.com/coreruleset/coreruleset/issues/3191
reference_id 3191
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-30T18:55:13Z/
url https://github.com/coreruleset/coreruleset/issues/3191
4
reference_url https://github.com/coreruleset/coreruleset/pull/3237
reference_id 3237
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-30T18:55:13Z/
url https://github.com/coreruleset/coreruleset/pull/3237
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
purl pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3
aliases CVE-2023-38199
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dzcy-8rqk-6fd8
6
url VCID-fd1y-9r47-t3ec
vulnerability_id VCID-fd1y-9r47-t3ec
summary The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39956.json
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39956.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-39956
reference_id
reference_type
scores
0
value 0.00119
scoring_system epss
scoring_elements 0.30361
published_at 2026-06-04T12:55:00Z
1
value 0.00119
scoring_system epss
scoring_elements 0.3036
published_at 2026-06-09T12:55:00Z
2
value 0.00119
scoring_system epss
scoring_elements 0.30435
published_at 2026-06-05T12:55:00Z
3
value 0.00119
scoring_system epss
scoring_elements 0.30402
published_at 2026-06-06T12:55:00Z
4
value 0.00119
scoring_system epss
scoring_elements 0.30375
published_at 2026-06-07T12:55:00Z
5
value 0.00119
scoring_system epss
scoring_elements 0.30344
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-39956
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39956
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39956
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137
reference_id 1021137
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2131317
reference_id 2131317
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2131317
6
reference_url https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
reference_id crs-version-3-3-3-and-3-2-2-covering-several-cves
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/
url https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
7
reference_url https://security.gentoo.org/glsa/202305-25
reference_id GLSA-202305-25
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/
url https://security.gentoo.org/glsa/202305-25
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
reference_id HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
9
reference_url https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
reference_id msg00033.html
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/
url https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
reference_id PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
reference_id YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:35Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
purl pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3
aliases CVE-2022-39956
risk_score 3.3
exploitability 0.5
weighted_severity 6.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fd1y-9r47-t3ec
7
url VCID-h62t-9dbx-tkcv
vulnerability_id VCID-h62t-9dbx-tkcv
summary The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39955.json
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39955.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-39955
reference_id
reference_type
scores
0
value 0.00779
scoring_system epss
scoring_elements 0.74028
published_at 2026-06-04T12:55:00Z
1
value 0.00779
scoring_system epss
scoring_elements 0.74062
published_at 2026-06-09T12:55:00Z
2
value 0.00779
scoring_system epss
scoring_elements 0.74061
published_at 2026-06-05T12:55:00Z
3
value 0.00779
scoring_system epss
scoring_elements 0.74066
published_at 2026-06-06T12:55:00Z
4
value 0.00779
scoring_system epss
scoring_elements 0.74052
published_at 2026-06-07T12:55:00Z
5
value 0.00779
scoring_system epss
scoring_elements 0.74035
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-39955
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39955
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39955
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137
reference_id 1021137
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021137
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2131315
reference_id 2131315
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2131315
6
reference_url https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
reference_id crs-version-3-3-3-and-3-2-2-covering-several-cves
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/
url https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
7
reference_url https://security.gentoo.org/glsa/202305-25
reference_id GLSA-202305-25
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/
url https://security.gentoo.org/glsa/202305-25
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
reference_id HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HL2L2GF7GOCWPMJZDUE5OXDSXHGG3XUJ/
9
reference_url https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
reference_id msg00033.html
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/
url https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
reference_id PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
reference_id YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:45:07Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPQ6CCMX3MU4A7MTCGQJA7VMJW3IQDXV/
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
purl pkg:deb/debian/modsecurity-crs@3.3.4-1%2Bdeb12u3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.4-1%252Bdeb12u3
aliases CVE-2022-39955
risk_score 3.3
exploitability 0.5
weighted_severity 6.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h62t-9dbx-tkcv
8
url VCID-q42g-qzkj-u7ak
vulnerability_id VCID-q42g-qzkj-u7ak
summary An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-11387
reference_id
reference_type
scores
0
value 0.00439
scoring_system epss
scoring_elements 0.63464
published_at 2026-06-04T12:55:00Z
1
value 0.00439
scoring_system epss
scoring_elements 0.63507
published_at 2026-06-05T12:55:00Z
2
value 0.00439
scoring_system epss
scoring_elements 0.63515
published_at 2026-06-06T12:55:00Z
3
value 0.00439
scoring_system epss
scoring_elements 0.63505
published_at 2026-06-07T12:55:00Z
4
value 0.00439
scoring_system epss
scoring_elements 0.63494
published_at 2026-06-08T12:55:00Z
5
value 0.00439
scoring_system epss
scoring_elements 0.63513
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-11387
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11387
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11387
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928053
reference_id 928053
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928053
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1
purl pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1waf-9gu9-c3ah
1
vulnerability VCID-5nu2-g227-eufq
2
vulnerability VCID-8ynf-c717-wkd9
3
vulnerability VCID-9gcu-vd8q-buan
4
vulnerability VCID-dzcy-8rqk-6fd8
5
vulnerability VCID-fd1y-9r47-t3ec
6
vulnerability VCID-h62t-9dbx-tkcv
7
vulnerability VCID-pmxc-ce56-e7bz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.0-1%252Bdeb11u1
aliases CVE-2019-11387
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q42g-qzkj-u7ak
9
url VCID-sqyp-mbuj-p3a4
vulnerability_id VCID-sqyp-mbuj-p3a4
summary An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with nested repetition operators. NOTE: the software maintainer disputes that this is a vulnerability because the issue cannot be exploited via ModSecurity
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-11388
reference_id
reference_type
scores
0
value 0.0051
scoring_system epss
scoring_elements 0.66761
published_at 2026-06-09T12:55:00Z
1
value 0.0051
scoring_system epss
scoring_elements 0.66744
published_at 2026-06-08T12:55:00Z
2
value 0.0051
scoring_system epss
scoring_elements 0.66726
published_at 2026-06-04T12:55:00Z
3
value 0.0051
scoring_system epss
scoring_elements 0.66766
published_at 2026-06-05T12:55:00Z
4
value 0.0051
scoring_system epss
scoring_elements 0.66774
published_at 2026-06-06T12:55:00Z
5
value 0.0051
scoring_system epss
scoring_elements 0.66759
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-11388
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11388
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11388
2
reference_url https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1354
reference_id 1354
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-28T13:17:02Z/
url https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1354
3
reference_url https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1372
reference_id 1372
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-28T13:17:02Z/
url https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1372
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928053
reference_id 928053
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928053
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1
purl pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1waf-9gu9-c3ah
1
vulnerability VCID-5nu2-g227-eufq
2
vulnerability VCID-8ynf-c717-wkd9
3
vulnerability VCID-9gcu-vd8q-buan
4
vulnerability VCID-dzcy-8rqk-6fd8
5
vulnerability VCID-fd1y-9r47-t3ec
6
vulnerability VCID-h62t-9dbx-tkcv
7
vulnerability VCID-pmxc-ce56-e7bz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.0-1%252Bdeb11u1
aliases CVE-2019-11388
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sqyp-mbuj-p3a4
10
url VCID-yp6h-2wq3-6yh3
vulnerability_id VCID-yp6h-2wq3-6yh3
summary OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-35368
reference_id
reference_type
scores
0
value 0.00306
scoring_system epss
scoring_elements 0.54152
published_at 2026-06-06T12:55:00Z
1
value 0.00306
scoring_system epss
scoring_elements 0.54142
published_at 2026-06-07T12:55:00Z
2
value 0.00306
scoring_system epss
scoring_elements 0.54119
published_at 2026-06-08T12:55:00Z
3
value 0.00306
scoring_system epss
scoring_elements 0.54141
published_at 2026-06-09T12:55:00Z
4
value 0.00406
scoring_system epss
scoring_elements 0.61387
published_at 2026-06-04T12:55:00Z
5
value 0.00406
scoring_system epss
scoring_elements 0.61434
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-35368
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35368
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35368
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000
reference_id 992000
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000
3
reference_url https://security.gentoo.org/glsa/202305-25
reference_id GLSA-202305-25
reference_type
scores
url https://security.gentoo.org/glsa/202305-25
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1
purl pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1waf-9gu9-c3ah
1
vulnerability VCID-5nu2-g227-eufq
2
vulnerability VCID-8ynf-c717-wkd9
3
vulnerability VCID-9gcu-vd8q-buan
4
vulnerability VCID-dzcy-8rqk-6fd8
5
vulnerability VCID-fd1y-9r47-t3ec
6
vulnerability VCID-h62t-9dbx-tkcv
7
vulnerability VCID-pmxc-ce56-e7bz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.0-1%252Bdeb11u1
aliases CVE-2021-35368
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yp6h-2wq3-6yh3
11
url VCID-zbbk-ktfm-b7bb
vulnerability_id VCID-zbbk-ktfm-b7bb
summary An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-13464
reference_id
reference_type
scores
0
value 0.00237
scoring_system epss
scoring_elements 0.46887
published_at 2026-06-04T12:55:00Z
1
value 0.00237
scoring_system epss
scoring_elements 0.46953
published_at 2026-06-05T12:55:00Z
2
value 0.00237
scoring_system epss
scoring_elements 0.46956
published_at 2026-06-06T12:55:00Z
3
value 0.00237
scoring_system epss
scoring_elements 0.46937
published_at 2026-06-07T12:55:00Z
4
value 0.00237
scoring_system epss
scoring_elements 0.46908
published_at 2026-06-08T12:55:00Z
5
value 0.00237
scoring_system epss
scoring_elements 0.46918
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-13464
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13464
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13464
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943773
reference_id 943773
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943773
fixed_packages
0
url pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1
purl pkg:deb/debian/modsecurity-crs@3.3.0-1%2Bdeb11u1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1waf-9gu9-c3ah
1
vulnerability VCID-5nu2-g227-eufq
2
vulnerability VCID-8ynf-c717-wkd9
3
vulnerability VCID-9gcu-vd8q-buan
4
vulnerability VCID-dzcy-8rqk-6fd8
5
vulnerability VCID-fd1y-9r47-t3ec
6
vulnerability VCID-h62t-9dbx-tkcv
7
vulnerability VCID-pmxc-ce56-e7bz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.3.0-1%252Bdeb11u1
aliases CVE-2019-13464
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zbbk-ktfm-b7bb
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/modsecurity-crs@3.1.0-1%252Bdeb10u2