Security Advisory - Published 2026-07-11 - WAF / Web Server
ModSecurity batch: check WAF parsing, transformation behavior, and backend logs
These ModSecurity issues matter when a WAF sits in front of applications and the backend interprets request data differently. Patch ModSecurity, then verify that important rules still protect the backend behavior you rely on.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-52747 | ModSecurity | < 3.0.16 | WAF rules, multipart requests, backend parsing, and blocked request logs | 8.6 |
| CVE-2026-52761 | ModSecurity | 3.0.0 through 3.0.15 | WAF transformations, rule coverage, false negatives, and backend logs | 5.8 |
What to check
- ModSecurity engine version, connector version, CRS version, and whether a patched package is actually loaded by Apache, NGINX, or IIS.
- Multipart form handling for upload-heavy applications, contact forms, checkout forms, and admin panels.
- Custom transformations, rule exclusions, detection-only mode, and backend logs for requests the WAF did not block.
- Any application endpoint where WAF logs and backend logs disagree about request shape.
Safe fix path
- Upgrade ModSecurity to a fixed release, then restart the web server or WAF container.
- Keep a copy of current WAF rules, exclusions, audit logs, and backend error logs.
- Retest owned forms and upload paths after patching to catch false positives and coverage gaps.
- Review high-risk requests from the exposure window before clearing audit logs.
Compromise indicators
- Backend errors or application alerts for requests that the WAF treated as clean.
- Repeated multipart requests to login, upload, checkout, or admin endpoints.
- Unexpected rule exclusions, detection-only changes, or missing WAF audit records.
- Application-side evidence of tampered form fields, uploaded files, or stored records.
When to ask Ping7 for repair
Use Ping7 CVE Repair when a public application relied on ModSecurity for a critical boundary and WAF logs need to be compared with backend logs before the incident is closed.