OWASP OWASP Open Web Application Security Project (OWASP) is a nonprofit foundation intending to improve the security of web application software.

  1. Vendors
  2. OWASP

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any OWASP product.

RSS Feeds for OWASP security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in OWASP products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by OWASP Sorted by Most Security Vulnerabilities since 2018

OWASP Modsecurity11 vulnerabilities

Owasp Modsecurity Core Rule Set7 vulnerabilities

OWASP Dependency Check2 vulnerabilities

OWASP Dependency Track2 vulnerabilities

OWASP Enterprise Security Api2 vulnerabilities

OWASP Json Sanitizer2 vulnerabilities

OWASP Coreruleset1 vulnerability

OWASP Csrfguard1 vulnerability

OWASP Defectdojo1 vulnerability

OWASP Dependency Track Frontend1 vulnerability

OWASP Enterprise Security Api Java1 vulnerability

OWASP Java Html Sanitizer1 vulnerability

OWASP Nodegoat1 vulnerability

OWASP Zed Attack Proxy1 vulnerability

By the Year

In 2026 there have been 1 vulnerability in OWASP with an average score of 4.3 out of ten. Last year, in 2025 OWASP had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in OWASP in 2026 could surpass last years number.




Year Vulnerabilities Average Score
2026 1 4.30
2025 2 0.00
2024 4 7.57
2023 4 8.08
2022 11 7.42
2021 8 8.44
2020 2 7.50
2019 1 5.40
2018 3 7.13

It may take a day or so for new OWASP vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent OWASP Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-3816 Mar 09, 2026
DoS in DefectDojo 2.55.4 SonarQube/MSDefender Parser, Fixed 2.56.0 A security vulnerability has been detected in OWASP DefectDojo up to 2.55.4. This vulnerability affects the function input_zip.read of the file parser.py of the component SonarQubeParser/MSDefenderParser. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.56.0 is able to resolve this issue. The identifier of the patch is e8f1e5131535b8fd80a7b1b3085d676295fdcd41. Upgrading the affected component is recommended.
CVE-2025-66021 Nov 26, 2025
OWASP Java HTML Sanitizer XSS via noscript/style before 20240325.1 OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available.
CVE-2025-48866 Jun 02, 2025
ModSecurity <2.9.10 Denial-of-Service via sanitiseArg Argument Bombing ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
Modsecurity
CVE-2024-46292 Oct 09, 2024
CVE-2024-46292: ModSecurity 3.0.12 DoS via name param buffer overflow A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usable with very large values of SecRequestBodyNoFilesLimit (which are required by the claimed issue).
Modsecurity
CVE-2023-48171 Aug 12, 2024
DefectDojo <1.5.3.1 Remote Privilege Escalation via Permissions An issue in OWASP DefectDojo before v.1.5.3.1 allows a remote attacker to escalate privileges via the user permissions component.
Defectdojo
CVE-2024-1019 Jan 30, 2024
ModSecurity 3.0.0-3.0.11 WAF Bypass via URL Path, Fixed in 3.0.12 ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability.
Modsecurity
CVE-2024-23686 Jan 19, 2024
DependencyCheck 9.0.0-9.0.6 Log Leak: NVD API Key via Debug Mode DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.
Dependency Check
CVE-2023-38285 Jul 26, 2023
Trustwave ModSecurity 3.x <3.0.10: Inefficient Algorithmic Complexity Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.
Modsecurity
CVE-2023-38199 Jul 13, 2023
OWASP ModSecurity CRS <=3.3.4: Content-Type header confusion WAF bypass coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.
Coreruleset
CVE-2023-28882 Apr 28, 2023
Trustwave ModSecurity 3.0.5-3.0.8 DoS via Transaction segfault Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.
Modsecurity
CVE-2022-48279 Jan 20, 2023
ModSecurity multipart parsing bypass before v2.9.6/3.0.8 In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.
Modsecurity
CVE-2021-4247 Dec 18, 2022
OWASP NodeGoat DoS via Query Param Handler A vulnerability has been found in OWASP NodeGoat and classified as problematic. This vulnerability affects unknown code of the file app/routes/research.js of the component Query Parameter Handler. The manipulation leads to denial of service. The attack can be initiated remotely. The name of the patch is 4a4d1db74c63fb4ff8d366551c3af006c25ead12. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216184.
Nodegoat
CVE-2022-39350 Oct 25, 2022
XSS in Dependency-Track Frontend <4.6.1 - Showdown no sanitization @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend. Actors with the `VULNERABILITY_MANAGEMENT` permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields: Description, Details, Recommendation, or References. The payload will be executed for users with the `VIEW_PORTFOLIO` permission when browsing to the modified vulnerability's page. Alternatively, malicious JavaScript could be introduced via any of the vulnerability databases mirrored by Dependency-Track. However, this attack vector is highly unlikely, and the maintainers of Dependency-Track are not aware of any occurrence of this happening. Note that the `Vulnerability Details` element of the `Audit Vulnerabilities` tab in the project view is not affected. The issue has been fixed in frontend version 4.6.1.
Dependency Track Frontend
CVE-2022-39351 Oct 25, 2022
Dependency-Track 4.6.0: API Key Clear-Text Log Flaw Resolved Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.6.0, performing an API request using a valid API key with insufficient permissions causes the API key to be written to Dependency-Track's audit log in clear text. Actors with access to the audit log can exploit this flaw to gain access to valid API keys. The issue has been fixed in Dependency-Track 4.6.0. Instead of logging the entire API key, only the last 4 characters of the key will be logged. It is strongly recommended to check historic logs for occurrences of this behavior, and re-generating API keys in case of leakage.
Dependency Track
CVE-2022-39956 Sep 20, 2022
OWASP ModSecurity CRS multipart bypass (v3.0.x-3.3.2) upgrade to 3.2.2/3.3.3 The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).
Owasp Modsecurity Core Rule Set
CVE-2022-39955 Sep 20, 2022
OWASP ModSecurity CRS 3.0.x-3.3.2 Charset Header Bypass The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
Owasp Modsecurity Core Rule Set
CVE-2022-39958 Sep 20, 2022
CRS 3.0/3.1/3.2.1/3.3.2 Response Body Bypass Upgrade to 3.2.2/3.3.3 The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.
Owasp Modsecurity Core Rule Set
CVE-2022-39957 Sep 20, 2022
OWASP ModSecurity CRS 3.x Response Body Bypass via Accept Header The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
Owasp Modsecurity Core Rule Set
CVE-2020-22669 Sep 02, 2022
Modsecurity CRS 3.2.0 SQLi Bypass via Comments/Variables Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications.
Owasp Modsecurity Core Rule Set
CVE-2022-24891 Apr 27, 2022
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
Enterprise Security Api
CVE-2022-23457 Apr 25, 2022
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
Enterprise Security Api
CVE-2022-27820 Mar 24, 2022
OWASP Zed Attack Proxy (ZAP) through w2022-03-21 does not verify the TLS certificate chain of an HTTPS server. OWASP Zed Attack Proxy (ZAP) through w2022-03-21 does not verify the TLS certificate chain of an HTTPS server.
Zed Attack Proxy
CVE-2021-42717 Dec 07, 2021
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
Modsecurity
CVE-2021-35368 Nov 05, 2021
OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.
Owasp Modsecurity Core Rule Set
CVE-2021-42575 Oct 18, 2021
The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
Java Html Sanitizer
CVE-2021-28490 Aug 19, 2021
In OWASP CSRFGuard through 3.1.0, CSRF can occur In OWASP CSRFGuard through 3.1.0, CSRF can occur because the CSRF cookie may be retrieved by using only a session token.
Csrfguard
CVE-2010-3300 Jun 22, 2021
It was found that all OWASP ESAPI for Java up to version 2.0 RC2 are vulnerable to padding oracle attacks. It was found that all OWASP ESAPI for Java up to version 2.0 RC2 are vulnerable to padding oracle attacks.
Enterprise Security Api Java
CVE-2019-25043 May 06, 2021
ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.
Modsecurity
CVE-2021-23900 Jan 13, 2021
OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.
Json Sanitizer
CVE-2021-23899 Jan 13, 2021
OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.
Json Sanitizer
CVE-2020-15598 Oct 06, 2020
Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a security issue because1) there is no default configuration issue here. An attacker would need to know that a rule using a potentially problematic regular expression was in place, 2) the attacker would need to know the basic nature of the regular expression itself to exploit any resource issues. It's well known that regular expression usage can be taxing on system resources regardless of the use case. It is up to the administrator to decide on when it is appropriate to trade resources for potential security benefit
Modsecurity
CVE-2019-19886 Jan 21, 2020
Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send crafted requests that may, when sent quickly in large volumes, lead to the server becoming slow or unresponsive (Denial of Service) because of a flaw in Transaction::addRequestHeader in transaction.cc.
Modsecurity
CVE-2019-1020007 Jul 29, 2019
Dependency-Track before 3.5.1 Dependency-Track before 3.5.1 allows XSS.
Dependency Track
CVE-2018-16384 Sep 03, 2018
A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed.
Owasp Modsecurity Core Rule Set
CVE-2018-13065 Jul 03, 2018
ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element ModSecurity 3.0.0 has XSS via an onerror attribute of an IMG element. NOTE: a third party has disputed this issue because it may only apply to environments without a Core Rule Set configured
Modsecurity
CVE-2018-12036 Jun 07, 2018
OWASP Dependency-Check before 3.2.0 allows attackers to write to arbitrary files via a crafted archive OWASP Dependency-Check before 3.2.0 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.
Dependency Check
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.