Trustwave
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Trustwave product.
RSS Feeds for Trustwave security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Trustwave products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Trustwave Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Trustwave. Last year, in 2025 Trustwave had 2 security vulnerabilities published. Right now, Trustwave is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 2 | 7.50 |
| 2024 | 2 | 8.60 |
| 2023 | 4 | 7.50 |
| 2022 | 0 | 0.00 |
| 2021 | 2 | 7.50 |
| 2020 | 2 | 7.50 |
| 2019 | 0 | 0.00 |
| 2018 | 2 | 6.80 |
It may take a day or so for new Trustwave vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Trustwave Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-47947 | May 21, 2025 |
ModSecurity 2.9.8 Denial of Service via JSON sanitiseMatchedBytes ruleModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available. |
Modsecurity
|
| CVE-2025-27110 | Feb 25, 2025 |
Libmodsecurity3 3.0.13 HTML Entity Zero-Padding Decode Failure CVE-2025-27110Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available. |
Modsecurity
|
| CVE-2024-46292 | Oct 09, 2024 |
CVE-2024-46292: ModSecurity 3.0.12 DoS via name param buffer overflowA buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usable with very large values of SecRequestBodyNoFilesLimit (which are required by the claimed issue). |
Modsecurity
|
| CVE-2024-1019 | Jan 30, 2024 |
ModSecurity 3.0.0-3.0.11 WAF Bypass via URL Path, Fixed in 3.0.12ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability. |
Modsecurity
|
| CVE-2023-38285 | Jul 26, 2023 |
Trustwave ModSecurity 3.x <3.0.10: Inefficient Algorithmic ComplexityTrustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity. |
Modsecurity
|
| CVE-2023-28882 | Apr 28, 2023 |
Trustwave ModSecurity 3.0.5-3.0.8 DoS via Transaction segfaultTrustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations. |
Modsecurity
|
| CVE-2022-48279 | Jan 20, 2023 |
ModSecurity multipart parsing bypass before v2.9.6/3.0.8In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. |
Modsecurity
|
| CVE-2023-24021 | Jan 20, 2023 |
ModSecurity < 2.9.7 WAF Bypass via '\0' in FILES_TMP_CONTENTIncorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection. |
Modsecurity
|
| CVE-2021-42717 | Dec 07, 2021 |
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objectsModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4. |
Modsecurity
|
| CVE-2019-25043 | May 06, 2021 |
ModSecurity 3.x before 3.0.4 mishandles key-value pair parsingModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header. |
Modsecurity
|