THE OWASP ModSecurity team has released a patch for two vulnerabilities (CVE-2026-52747 and CVE-2026-52761) in ModSecurity version 3.0.16. These vulnerabilities allow attackers to bypass Web Application Firewall (WAF) rules without causing memory corruption or crashes. The multipart parser bypass (CVE-2026-52747) can conceal payloads that rely on split line breaks, while the transformation flaw (CVE-2026-52761) affects output on i386 architectures.
Both bugs impact versions 3.0.15 and earlier, and the recommended action is to upgrade to version 3.0.16. Addressing these vulnerabilities is crucial due to ModSecurity's widespread use and its significance in web application security.