ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15.
References
| Link | Resource |
|---|---|
| https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.15 | Patch Product |
| https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qrjc-3jpc-3h2g | Exploit Vendor Advisory |
| https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qrjc-3jpc-3h2g | Exploit Vendor Advisory |
Configurations
History
07 May 2026, 13:41
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.15 - Patch, Product | |
| References | () https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qrjc-3jpc-3h2g - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:owasp:modsecurity:*:*:*:*:*:*:*:* | |
| First Time |
Owasp
Owasp modsecurity |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
05 May 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qrjc-3jpc-3h2g - |
05 May 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-05 19:16
Updated : 2026-05-07 13:41
NVD link : CVE-2026-30923
Mitre link : CVE-2026-30923
CVE.ORG link : CVE-2026-30923
JSON object : View
Products Affected
owasp
- modsecurity
CWE
CWE-125
Out-of-bounds Read