Blogs on Modsecurity Project

About CVE 2026-30923 and 2026-42268

Tue, 28 Apr 2026 00:00:00 +0200

We would like to share our take onCVE-2026-30923 andCVE-2026-42268, which were published on April 22, 2026, as well as some additional issues that were fixed.

How Big Is Too Big? A Deep Dive into ModSecurity Request Body Limits

Sun, 22 Feb 2026 00:00:00 +0200

Have you ever wondered what exactly the request body limits mean in ModSecurity and how they work?

Improper error handling: CVE-2025-54571 - 2025 August

Tue, 05 Aug 2025 00:00:00 +0200

We would like to share our take onCVE-2025-54571, which was published on August 5, 2025.

DoS vulnerability: CVE-2025-52891 - 2025 July

Tue, 01 Jul 2025 00:00:00 +0200

We would like to share our take onCVE-2025-52891, which was published on July 1, 2025.

DoS vulnerability: CVE-2025-48866 - 2025 June

Mon, 02 Jun 2025 00:00:00 +0200

We would like to share our take onCVE-2025-48866, which was published on June 2, 2025.

ModSecurity-nginx connector - new release: v1.0.4

Wed, 21 May 2025 00:00:00 +0200

The OWASP ModSecurity team is pleased to announce the release of ModSecurity-nginx connector version 1.0.4. This version includes a mixture of new features and bug fixes.

Possible DoS vulnerability: CVE-2025-47947 - 2025 May

Wed, 21 May 2025 00:00:00 +0200

We would like to share our take onCVE-2025-47947, which was published on May 21, 2025.

HTML Entity Decoding Regression: CVE-2025-27110 - 2025 February

Tue, 25 Feb 2025 00:00:00 +0200

We would like to share our take onCVE-2025-27110, which was published on February 25, 2025.

Use PCRE2 as default - 2025 February

Mon, 17 Feb 2025 00:00:00 +0200

It’s time to switch to using the PCRE library.

About CVE-2024-46292 - 2024 October

Fri, 11 Oct 2024 14:00:00 +0200

We would like to share our take onCVE-2024-46292, which was published on October 9 2024.

New versions - 2024 September

Tue, 03 Sep 2024 12:00:00 +0200

The OWASP ModSecurity team is pleased to announce the release of versions2.9.8 and3.0.13. These versions both include a mixture of new features and bug fixes.

ModSecurity.org: website available again

Fri, 30 Aug 2024 14:00:00 +0200

After a long period, themodsecurity.org website is available again with renewed content and form.

Save the date: developers meeting on 5th of June, 2024 - Leuven, Belgium

Thu, 23 May 2024 15:15:35 +0200

When the transfer of control took place at the end of January, the interim management stated that they wanted a one-on-one meeting with developers interested in maintaining ModSecurity. It’s time. Please save the date: we would like to organize a mini-event on June 5, 2024, where we can meet everyone in person and discuss future tasks. The venue is Leuven, Belgium - the exact location has yet to be determined. We will meet around 13:00 and will leave about 18:00. Stay tuned, register onSlack, where we will try to answer all your questions on the #project-modsecurity channel.

Modsecurity is arising like Phoenix from the ashes

Mon, 22 Apr 2024 08:22:35 +0200

The ModSecurity is preparing for the new hand. The announced transfer of custodianship to the OWASP Foundation became a fact, the project awaits a new adventure! If you add to it that theCore Rule Set, the widespread set of generic attack detection rules, is already under the roof of OWASP, and both ModSecurity and CRS gather around themselves vast of security experts, you might come to the conclusion that this can happen without you, can’t you?