CVE-2026-21876

Name of the Vulnerable Software and Affected Versions OWASP Core Rule Set versions prior to 4.22.0 OWASP Core Rule Set versions prior to 3.3.8

Description A bug in rule 922110 occurs when processing multipart requests containing multiple parts. When the first rule in a chain iterates over a collection, such as MULTIPART PART HEADERS, the capture variables TX:0 and TX:1 are overwritten during each iteration. Consequently, only the last captured value is available to the chained rule. This allows attackers to bypass charset validation by placing a malicious charset (e.g., UTF-7 for XSS) in an early part of the request and a legitimate charset in a subsequent part, causing the WAF to overlook the malicious payload.

Recommendations Update to version 4.22.0. Update to version 3.3.8. As a temporary workaround, consider disabling rule 922110, although this weakens overall protection.