v3.0.15

Major changes in v3:

• fix: unsig integer underflow issue in verify* operators
  PR from private repo - @fumfel, @airween; fixed CVE-2026-42268
• fix: buffer overflow in hex_decode.cc
  PR from private repo - @EsadCetiner, @fumfel, @airween; fixed CVE-2026-30923
• fix: buffer overflow in multipart body proc
  PR #3546 - @fumfel, @airween
• fix: heap buffer overflow in acmp pm
  PR #3544 - @fumfel, @airween
• fix: nullptr dereference in seclang scanner
  PR #3543 - @fumfel, @airween
• fix: probably UB (left shift of neg. val) in ip_tree
  PR #3541 - @fumfel, @airween
• Add initial mbedTLS v4 support; bump mbedTLS to 4.1.0
  PR #3532 - @Easton97-Jens
• Update SQLi/XSS operators for libinjection v4.0.0; bump libinjection to 4.0.0
  PR #3528 - @Easton97-Jens

Beside of these, there are many other changes in 3.0.15 - for more information please see CHANGES.

v2.9.13

Full list of changes:

• fix: heap buffer overflow in acmp pm
  [Issue #3545 - @fumfel,@airween]
• fix: probably UB (left shift of neg. val) in ip_tree code
  [Issue #3542 - @fumfel,@airween]
• feat(libinjection): add libinjection 4 final to v2
  [Issue #3535 - @airween]
• fix: cppcheck warnings
  [Issue #3530 - @airween]
• feat: add Lua 5.5 support when available
  [Issue #3527 - @fzipi,@airween]
• refactor: remove NGINX support from v2 (#3498)
  [Issue #3502 - @sanjib2006]
• fix: cppcheck warnings in nginx/
  [Issue #3493 - @umprayz]
• fix: cppcheck warnings in standalone/
  [Issue #3488 - @umprayz]
• v2: Accept requests whose body length is exactly equal to SecRequestBodyNoFilesLimit
  [Issue #3480 - @hnakamur]
• fix: yajl detection for source installations (#3457)
  [Issue #3458 - @weida]
• feat: fix regression test, add a new CI workflow
  [Issue #3456 - @airween]
• Fix libxml2 related deprecated issues
  [Issue #3454 - @airween]
• Add CMake and CI Pipeline for ModSecurityIIS in ModSecurity V2
  [Issue #3452 - @A13501350]
• fix(iis): IPv6 Handling in ModSecurity IIS Module
  [Issue #3443 - @A13501350]
• fix: add event message resources to ModSecurityIIS.dll and resolve "Invalid function" errors (#3408)
  [Issue #3438 - @A13501350]

v2.9.12

There is an improper error handling in previous versions, see CVE 2025-54571. This release includes a fix for it.

Full list of changes:

• fix: Improper error handling
  [PR from private repo - @orangetw, @pgajdos, @ylavic, @theseion, @fzipi, @airween
  fixed CVE-2025-54571]
• fix: mod_security2's regression tests [Issue #3425 - @airween]
• fix: remove unused condition from msc_status_engine.c [Issue #3412 - @airween]
• fix: remove unwanted '\0' string terminator from argument's value [Issue #3411 - @airween]

v2.9.11

Changes in v2.9.11:

There is a DoS vulnerability in previous versions, see CVE 2025-52891. This release includes a fix for it.

Full list of changes:

• fix: prevent segmentation fault if the XML node is empty
  [PR from private repo - @theseion, @fzipi, @RedXanadu, @airween; fixed CVE-2025-52891]
• Plug memory leak when msre_op_validateSchema_execute() exits normally (validateSchema)
  [Issue #3401 - @nic-prgs]
• chore: bump version in MSI installer.wxs
  [Issue #3400 - @airween]
• Fix resource leaks in msc_status_engine_mac_address
  [Issue #3391 - @amezin]

v2.9.10

Changes in v2.9.10:

There is a DoS vulnerability in previous versions, see CVE 2025-48866. This release includes a fix for it.

• fix: DoS vulnerability
  [PR from private repo - @theseion, @fzipi, @airween; fixed CVE-2025-48866]

v2.9.9

Changes in v2.9.9:

There is a DoS vulnerability in previous versions, see CVE 2025-47947. This release includes a fix for it.

• fix: DoS vulnerability
  [PR from private repo - @theseion, @fzipi, @airween; fixed CVE-2025-47947]
• chore: log error codes for global mutex failure modes.
  [Issue #3387 - @airween]
• chore: refactor build system to use PCRE2
  [Issue #3383 - @airween]
• feat: add 'make test' to v2's workflow
  [Issue #3379 - @airween]
• fix: 'make test' is able to run again
  [Issue #3378 - @airween]
• fix: add PCRE2 capability to standalone module
  [Issue #3377 - @airween]
• chore: remove unnecessary @LIBXML2_CFLAGS@ from linker flags
  [Issue #3376 - @airween]
• fix: add msc_fullinfo() to check JIT compilation
  [Issue #3375 - @airween]
• Fix error logging for standalone module
  [Issue #3374 - @RedXanadu]
• Fix compiler warnings from GCC
  [Issue #3372 - @notroj]
• feat: improved XMLArgs processing
  [Issue #3358 - @airween]
• Incorrect utf8toUnicode transformation for 00xx
  [Issue #3284 - @marcstern]
• Fixed PCRE2 error message
  [Issue #3279 - @marcstern]
• make rootpath and incpath consts for apr_filepath_root
  [Issue #3270 - @Marcool04]
• Fix apr_global_mutex_create() usage
  [Issue #3269 - @marcstern]
• chore: add 'log' action to rule 200005 (v2/master)
  [Issue #3267 - @airween]
• Move id_log() to msc_util to fix unit tests; it is declared on msc_ut…
  [Issue #3265 - @rainerjung]
• Missing #include <time.h>
  [Issue #3262 - @marcstern]
• Fixed apr_global_mutex_create() usage (no filename)
  [PR #3269 - @marcstern]
• handle errors from apr_global_mutex_lock
  [PR #3257 - @marcstern]

Special thanks to @theseion and @fzipi for their big help, and all other participants.

v3.0.14

Major changes in v3:

• changed t:htmlEntityDecode transformation; fixed CVE-2025-27110
• add value checking to @validateByteRange operator
• fixed build library on OSX without GeoIP brew package
• aligned TIME_MON variable's behavior
• Leverage std::make_unique & std::make_shared to create objects in the heap
• Simplified handling of RuleMessage by removing usage of std::shared_ptr
• Simplified constructors, copy constructors & assignment operators

For more information please see CHANGES.

v3.0.13

Major changes in v3:

• added Windows port
• improved CI workflow
• removed unnecessary string copy operations, improved engine speed - several PR's
• fixed a bug in @pm operator
• extended the C/C++ API

For more information please see CHANGES.

v2.9.8

Major changes in v2:

• added a CI workflow
• changed error log format
• added a new MULTIPART HEADER check
• fixed many potential memory leaks and other potential memory handling problems

For more information please see CHANGES.

v3.0.12

Security impacting issue

• Change REQUEST_FILENAME and REQUEST_BASENAME behavior
  [Issue #3048 - @martinhsv, @theMiddleBlue, @theseion, @M4tteoP, @airween]
  WAF bypass of the ModSecurity v3 release line for path-based payloads by submitting a specially crafted request URL. For details, see CVE 2024-1019.

Enhancements and bug fixes

• Set the minimum security protocol version (TLSv1.2) for SecRemoteRules
  [Issue security/code-scanning/2 - @airween]