https://0d2d0d50.website-1u6.pages.dev/categories/security/Recent content in CRS Projecthttps://0d2d0d50.website-1u6.pages.dev/20260106/cve-2026-21876-critical-multipart-charset-bypass-fixed-in-crs-4.22.0-and-3.3.8/Tue, 06 Jan 2026 00:00:00 +0000<p>We are disclosing a security bypass vulnerability in OWASP CRS that affects rule 922110, which validates charset parameters in multipart/form-data requests. This vulnerability, assigned <strong>CVE-2026-21876</strong>, has existed since the rule was introduced and affected all CRS supported versions.</p> <table> <thead> <tr> <th></th> <th></th> </tr> </thead> <tbody> <tr> <td>Published</td> <td>January 6, 2026</td> </tr> <tr> <td>Reported by</td> <td>some0ne (<a href="https://github.com/daytriftnewgen">https://github.com/daytriftnewgen</a>)</td> </tr> <tr> <td>Fixed by</td> <td>Ervin Hegedüs (airween) and Felipe Zipitría (fzipi)</td> </tr> <tr> <td>Severity</td> <td>CRITICAL (CVSS 9.3)</td> </tr> <tr> <td>Internal ID</td> <td>9AJ-260102</td> </tr> </tbody> </table> <p>The vulnerability allows attackers to bypass charset validation by exploiting how ModSecurity&rsquo;s chained rules process collections. We have developed and tested a fix that is now available in <strong>CRS version 4.22.0</strong> and <strong>CRS version 3.3.8</strong>.</p>