CVE-2026-42268

Source
https://cve.org/CVERecord?id=CVE-2026-42268
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42268.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42268
Aliases
Downstream
Related
Published
2026-05-12T21:40:19.031Z
Modified
2026-07-08T08:13:14.132123721Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
ModSecurity: Unsigned integer underflow in @verifySSN / @verifyCPF / @verifySVNR operators
Details

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::outofrange) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-191",
        "CWE-248"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42268.json"
}
References

Affected packages

Git / github.com/owasp-modsecurity/modsecurity

Affected ranges

Type
GIT
Repo
https://github.com/owasp-modsecurity/modsecurity
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.15"
        }
    ],
    "cpe": "cpe:2.3:a:owasp:modsecurity:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v3.*
v3.0.0
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42268.json"