CVE-2026-21876

{"id": "CVE-2026-21876", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2026-01-08T14:15:57.087", "references": [{"url": "https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83", "source": "security-advisories@github.com"}, {"url": "https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6", "source": "security-advisories@github.com"}, {"url": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8", "source": "security-advisories@github.com"}, {"url": "https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-794"}]}], "descriptions": [{"lang": "en", "value": "The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue."}], "lastModified": "2026-01-08T18:08:18.457", "sourceIdentifier": "security-advisories@github.com"}