{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-52761","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-08T17:13:43.063Z","datePublished":"2026-07-10T21:40:23.961Z","dateUpdated":"2026-07-10T21:40:23.961Z"},"containers":{"cna":{"title":"ModSecurity: Transformation utf8toUnicode produces wrong output on i386 architecture","problemTypes":[{"descriptions":[{"cweId":"CWE-467","lang":"en","description":"CWE-467: Use of sizeof() on a Pointer Type","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.8,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qjgm-7gp4-f8qq","tags":["x_refsource_CONFIRM"],"url":"https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qjgm-7gp4-f8qq"},{"name":"https://github.com/owasp-modsecurity/ModSecurity/commit/edcd010814e234d46e2ec55a0f1078ff9d3032e4","tags":["x_refsource_MISC"],"url":"https://github.com/owasp-modsecurity/ModSecurity/commit/edcd010814e234d46e2ec55a0f1078ff9d3032e4"},{"name":"https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.16","tags":["x_refsource_MISC"],"url":"https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.16"}],"affected":[{"vendor":"owasp-modsecurity","product":"ModSecurity","versions":[{"version":">= 3.0.0, < 3.0.16","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-07-10T21:40:23.961Z"},"descriptions":[{"lang":"en","value":"ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 through 3.0.15, the t:utf8toUnicode transformation in src/actions/transformations/utf8_to_unicode.cc produces wrong output on i386 architecture because snprintf uses sizeof on a char pointer rather than the length of the unicode buffer, allowing rules that use this transformation to be bypassed on i386 architecture. This issue is fixed in version 3.0.16."}],"source":{"advisory":"GHSA-qjgm-7gp4-f8qq","discovery":"UNKNOWN"}}}}