CVE-2026-21876 — Incomplete Filtering of Multiple Instances of Special Elements in Modsecurity Core Rule SET

CWE-794 — Incomplete Filtering of Multiple Instances of Special Elements4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 77.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Coreruleset Owasp Modsecurity Core Rule SET Debian Modsecurity-crs

Timeline

PublishedJan 8

Description

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means maliciou…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDowasp/owasp_modsecurity_core_rule_set4.0.0 — 4.22.0+1

▶CVEListV5coreruleset/coreruleset< 4.22.0+1

▶debiandebian/modsecurity-crs< modsecurity-crs 3.3.4-1+deb12u1 (bookworm)

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-21876: The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls↗2026-01-08

▶

📋Vendor Advisories

Debian

CVE-2026-21876: modsecurity-crs - The OWASP core rule set (CRS) is a set of generic attack detection rules for use...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-21876 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶