Web application firewall

This hub aggregates every CVE we track for Web application firewall, a product in the networking infrastructure space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 13 most recently published vulnerabilities affecting Web application firewall.

• CVE-2025-2418Open Redirect in TR7's Web Application Firewall4.3Feb 16, 2026
• CVE-2022-4539Web Application Firewall <= 2.1.2 - IP Address Spoofing to Protection Mechanism Bypass5.3Aug 31, 2024
• CVE-2024-8073Command Injection Vulnerability in Hillstone Networks Web Application Firewall9.8Aug 26, 2024
• CVE-2021-41823The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to bypass an XSS protection mechanism.6.1Jan 1, 2023
• CVE-2021-45468Imperva Web Application Firewall (WAF) before 2021-12-23 allows remote unauthenticated attackers to use "Content-Encoding: gzip" to evade WAF security controls and send malicious HTTP POST requests...9.8Jan 14, 2022
• CVE-2021-45105Apache Log4j2 does not always protect from infinite recursion in lookup evaluation5.9Dec 18, 2021
• CVE-2020-14210Reflected Cross-Site Scripting (XSS) vulnerability in MONITORAPP WAF in which script can be executed when responding to Request URL information. It provides a function to response to Request URL in...6.1Jun 16, 2020
• CVE-2014-2595Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.9.8Feb 12, 2020
• CVE-2018-3639Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of...5.5May 22, 2018
• CVE-2017-15524The Application Firewall Pack (AFP, aka Web Application Firewall) component on Kemp Load Balancer devices with software before 7.2.40.1 allows a Security Feature Bypass via an HTTP POST request.9.1Dec 18, 2017
• CVE-2017-14706DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToke...9.8Sep 22, 2017
• CVE-2017-14705DenyAll WAF before 6.4.1 allows unauthenticated remote command execution via TCP port 3001 because shell metacharacters can be inserted into the type parameter to the tailDateFile function in /webs...8.1Sep 22, 2017
• CVE-2011-3140IBM Web Application Firewall, as used on the G400 IPS-G400-IB-1 and GX4004 IPS-GX4004-IB-2 appliances with update 31.030, does not properly handle query strings with multiple instances of the same ...5.0Aug 15, 2011