CWE-794

Incomplete Filtering of Multiple Instances of Special Elements

1 CVEs Avg CVSS 9.3 MITRE

1

CRITICAL

0

HIGH

0

MEDIUM

0

LOW

1

POC

0

KEV

Monthly

CVE-2026-21876 CRITICAL POC PATCH Act Now

OWASP Core Rule Set (CRS) before 4.22.0 and 3.3.8 has a bug in rule 922110 that allows WAF bypass on multipart requests. The rule's capture variables get overwritten when processing multiple parts, allowing SQL injection and other attacks to slip through. PoC available, patch available.

Information Disclosure

NVD GitHub

CVSS 3.1

9.3

EPSS

0.1%

CVE-2026-21876

EPSS 0% CVSS 9.3

CRITICAL POC PATCH Act Now

OWASP Core Rule Set (CRS) before 4.22.0 and 3.3.8 has a bug in rule 922110 that allows WAF bypass on multipart requests. The rule's capture variables get overwritten when processing multiple parts, allowing SQL injection and other attacks to slip through. PoC available, patch available.

Information Disclosure

NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy