Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Apache mod_security: Incorrect Charset Detection in Multipart Requests
OESA-2026-1573
Summary
A bug in the OWASP core rule set for Apache mod_security could allow attackers to evade some security checks. This affects older versions of the software, and updating to the latest version will fix the issue. If you're using Apache mod_security, it's a good idea to update to version 4.22.0 or 3.3.8 to ensure you have the latest security patches.
What to do
- Update mod_security_crs to version 3.2.2-3.oe2003sp4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | mod_security_crs | <= 3.2.2-3.oe2003sp4 | 3.2.2-3.oe2003sp4 |
Original title
mod_security_crs security update
Original description
The base rules are provided for mod_security by this package.
Security Fix(es):
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.(CVE-2026-21876)
Security Fix(es):
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.(CVE-2026-21876)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-21876 Vendor Advisory
Published: 15 Mar 2026 · Updated: 15 Mar 2026 · First seen: 15 Mar 2026