trustwave CVE Vulnerabilities & Metrics

Focus on trustwave vulnerabilities and metrics.

Last updated: 01 Aug 2025, 22:25 UTC

About trustwave Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with trustwave. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total trustwave CVEs: 7
Earliest CVE date: 03 Jun 2009, 17:00 UTC
Latest CVE date: 21 May 2025, 22:15 UTC

Latest CVE reference: CVE-2025-47947

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical trustwave CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.85

Max CVSS: 10.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range Count
0.0-3.9 5
4.0-6.9 10
7.0-8.9 1
9.0-10.0 1

CVSS Distribution Chart

Top 5 Highest CVSS trustwave CVEs

These are the five CVEs with the highest CVSS scores for trustwave, sorted by severity first and recency.

All CVEs for trustwave

CVE-2025-47947 trustwave vulnerability CVSS: 0 21 May 2025, 22:15 UTC

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.

CVE-2025-27110 trustwave vulnerability CVSS: 0 25 Feb 2025, 20:15 UTC

Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.

CVE-2024-46292 trustwave vulnerability CVSS: 0 09 Oct 2024, 16:15 UTC

A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service (DoS) via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usable with very large values of SecRequestBodyNoFilesLimit (which are required by the claimed issue).

CVE-2023-24021 trustwave vulnerability CVSS: 0 20 Jan 2023, 19:15 UTC

Incorrect handling of '\0' bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer over-reads on the Web Application Firewall when executing rules that read the FILES_TMP_CONTENT collection.

CVE-2022-48279 trustwave vulnerability CVSS: 0 20 Jan 2023, 19:15 UTC

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.

CVE-2021-42717 trustwave vulnerability CVSS: 5.0 07 Dec 2021, 22:15 UTC

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

CVE-2017-18001 trustwave vulnerability CVSS: 10.0 31 Dec 2017, 19:29 UTC

Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, via the publicKey parameter to the /sendKey URI.

CVE-2013-5705 trustwave vulnerability CVSS: 5.0 15 Apr 2014, 10:55 UTC

apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2013-2765 trustwave vulnerability CVSS: 5.0 15 Jul 2013, 15:55 UTC

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header.

CVE-2013-1915 trustwave vulnerability CVSS: 7.5 25 Apr 2013, 23:55 UTC

ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability.

CVE-2012-4528 trustwave vulnerability CVSS: 5.0 28 Dec 2012, 11:48 UTC

The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.

CVE-2012-2751 trustwave vulnerability CVSS: 4.3 22 Jul 2012, 16:55 UTC

ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031.

CVE-2009-5031 trustwave vulnerability CVSS: 4.3 22 Jul 2012, 16:55 UTC

ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header.

CVE-2011-1906 trustwave vulnerability CVSS: 5.0 05 May 2011, 14:55 UTC

Trustwave WebDefend Enterprise before 5.0 7.01.903-1.4 stores specific user-account credentials in a MySQL database, which makes it easier for remote attackers to read the event collection table via requests to the management port, a different vulnerability than CVE-2011-0756.

CVE-2011-0756 trustwave vulnerability CVSS: 5.0 05 May 2011, 02:39 UTC

The application server in Trustwave WebDefend Enterprise before 5.0 uses hardcoded console credentials, which makes it easier for remote attackers to read security-event data by using the remote console GUI to connect to the management port.

CVE-2009-1903 trustwave vulnerability CVSS: 4.3 03 Jun 2009, 17:00 UTC

The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method.

CVE-2009-1902 trustwave vulnerability CVSS: 5.0 03 Jun 2009, 17:00 UTC

The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.