A newly disclosed vulnerability in ModSecurity, a widely used open-source web application firewall (WAF), exposes servers to denial-of-service (DoS) attacks by exploiting a flaw in the way the software parses empty XML elements.
The flaw, registered as CVE-2025-52891, affects ModSecurity versions 2.9.8 to before 2.9.11 and is rated with a CVSS v3 base score of 6.5 (moderate severity).
https://gbhackers.com/critical-bug-in-modsecurity-waf/