February 28, 2026
By
Felipe Zipitria
The OWASP CRS team is pleased to announce the release of CRS v4.24.0.
For downloads and installation instructions, please refer to the Installation page.
This is a regular minor release with no breaking changes or security fixes. It includes new detection capabilities, important bug fixes, false positive reductions, and a significant modernization effort converting rules to regex-assembly format.
New detections Smarty template PHP tag detection (rule 933100): Added detection for Smarty template engine PHP tags, expanding protection against Server-Side Template Injection (SSTI) attacks targeting PHP applications using the Smarty templating engine, by @touchweb-vincent (#4447) Bug fixes Lazy regex for RCE rule 932130: Changed regex semantics from . (match anything) to [^\(\)] for better performance and specificity, preventing potential backtracking issues, by @fzipi (#3730) Method override false blocking (rule 920650): Fixed the rule to not block requests when the _method override parameter matches the actual HTTP method being used. Applications like GitLab sometimes set _method=post in POST request bodies that were triggering false blocks, by @EsadCetiner (#4455) Multi-byte UTF-8 handling in SQL special character detection (rules 942420-942432): Extracted multi-byte UTF-8 characters (acute accent U+00B4, left single quote U+2018, right single quote U+2019) from regex character classes into alternations. Previously, byte-by-byte matching caused false positives with non-Latin scripts including Chinese, Japanese, Arabic, Korean, and Hebrew. This closes the longstanding issue #3325, by @fzipi (#4458) False positive fixes Restricted files FP reduction (rule 930130): Removed .pac from the restricted files dataset because it was also matching legitimate files containing .pack in the name (e.g., jquery.nivo.slider.pack.js). Also mitigated FP on .history pattern matching files like jquery.history.min.js, by @touchweb-vincent (#4451) UNIX command FP reduction (rule 932340): Added prefix requirements for shell evasion detection, as two-letter UNIX commands were causing FPs when users entered initials into form fields, by @ssigwart (#4454) XMP metadata and XSL stylesheet FP (rule 933100): Reduced false positives caused by Adobe XMP metadata packets and XSL stylesheet declarations, which were being flagged as PHP injection attempts, by @touchweb-vincent (#4445) JSON variable name “profile” FP: When sending JSON data to libModSecurity3 or Coraza, a variable named profile becomes ARGS_NAMES:json.profile, which matched an entry in lfi-os-files.data (the .profile file). Added a configure-time rule exclusion to resolve this, by @EsadCetiner (#4477) French addresses FP (rule 942200): Fixed false positives triggered by French addresses containing comma and single quote patterns like 999, rue d'Arlon, by @theseion (#4476) Google Funding Choices cookie exclusions: Added more exclusions for Google Funding Choices cookies that were triggering false positives, by @azurit (#4484) Regex assembly conversions A major theme of this release is the conversion of rules to regex-assembly format. This enables management by the crs-toolchain, allows optimized regex generation with common prefix factoring, and makes rules easier to maintain. In this release, 12 rules were converted:
February 25, 2026
By
Felipe Zipitria
We are excited to announce the Open WAF Day 2026 in Vienna, Austria!
Following the success of our Barcelona 2025 event, we’re bringing the community together again for a full day of presentations, discussions, and networking centered around Web Application Firewalls, CRS, and related technologies.
Event Details Date: Wednesday, June 24, 2026 Time: 09:00 - 18:00 (CEST) Location: Vienna, Austria Cost: Free attendance Registration Registration is now open! Please register using the form below to secure your spot:
January 22, 2026
By
Felipe Zipitria
We’re excited to introduce CRSLang, a new YAML-based rule language that will replace Seclang in the next major release of OWASP CRS. This represents a significant evolution in how we write, maintain, and deploy WAF rules.
Why CRSLang? For nearly two decades, the OWASP CRS has relied on ModSecurity’s Seclang syntax. While Seclang has served us well, it comes with significant limitations that have become increasingly apparent as the project has grown:
January 22, 2026
By
Felipe Zipitria
We are excited to introduce the community to a significant development in the CRS ecosystem: the seclang_parser, an ANTLR-based parser for the SecLang configuration language used by ModSecurity and compatible WAF engines.
What is seclang_parser? The seclang_parser is a grammar-based parser built using ANTLR 4 (Another Tool for Language Recognition) that provides a unified, language-agnostic approach to parsing ModSecurity’s SecLang configuration files. Rather than maintaining separate parsing implementations across different programming languages, this project consolidates efforts around a single, authoritative grammar specification.
January 6, 2026
By
Felipe Zipitria
We are disclosing a security bypass vulnerability in OWASP CRS that affects rule 922110, which validates charset parameters in multipart/form-data requests. This vulnerability, assigned CVE-2026-21876, has existed since the rule was introduced and affected all CRS supported versions.
Published January 6, 2026 Reported by some0ne (https://github.com/daytriftnewgen) Fixed by Ervin Hegedüs (airween) and Felipe Zipitría (fzipi) Severity CRITICAL (CVSS 9.3) Internal ID 9AJ-260102 The vulnerability allows attackers to bypass charset validation by exploiting how ModSecurity’s chained rules process collections. We have developed and tested a fix that is now available in CRS version 4.22.0 and CRS version 3.3.8.
December 14, 2025
By
Felipe Zipitria
During our recent developer retreat in Bern, the CRS core team made important decisions about the future of Long-Term Support for CRS 4. Today, we’re announcing our LTS release timeline and sharing an honest update about the challenges we face in securing dedicated sponsorship for this critical work.
Why We’re Rethinking LTS Duration Consider this: would you trust an antivirus with signatures that are five years old? Of course not. Yet that’s essentially what extended LTS periods can create in web application security.
November 28, 2025
By
Christian Folini
(netnea)
We need your help. And, in return, we’re going to make CRS faster for everyone.
Here’s the thing: we’ve been optimizing OWASP CRS for years. We’ve improved detection capabilities, reduced false positives, and added new protections. But when it comes to performance optimization, we’ve been flying blind to a pretty wide extent.
The Problem We’re Facing How many HTTP headers does a typical request carry these days? What’s the average length of a query string? How many cookies do modern web servers actually receive? What does a normal request body look like in 2025? How large are the JSON files an API gateway faces?
September 1, 2025
By
Max Leske
We’re excited to announce our second community call, taking place on Monday 22 September, 2025. We were pretty happy with our first community call back in March, but we want to make it bigger and better. It would be amazing to have more CRS users and security enthusiasts join us on our next community call: everyone is welcome, and it would be great to see some new faces! The first call was a good experience for all attendees to get to know each other and chat about CRS. So we decided to give it another go and see what will happen.
August 10, 2025
By
Teddy B
The Payment Card Industry Data Security Standard (PCI DSS) applies to all organizations that store, process, or transmit cardholder data or sensitive authentication data, as well as any systems, people, or processes that could affect their security. This includes not only merchants and service providers, but also supporting components such as authentication servers, access controls, and Web Application Firewalls (WAFs).
The OWASP CRS (Core Rule Set) is a widely adopted, open-source set of WAF rules designed to detect and block a broad range of web application attacks. When properly deployed, CRS provides robust, customizable protection against many threats relevant to PCI DSS compliance.
In recent updates, the CRS team decided to remove PCI DSS specific tags from individual rules. As the PCI standard has evolved, at the time of writing it is at version 4.0.1, maintaining a rigid mapping of requirements to specific CRS rule IDs became impractical and potentially misleading. The focus has then shifted to showing how CRS, as a whole, reinforces your PCI DSS compliance posture. This post contributes to that effort by illustrating how CRS adds a critical layer of real-time inspection for web-facing applications.
June 19, 2025
By
Felipe Zipitria
After coming back from Barcelona, it took me a bit to adjust to my normal timezone. It took me a while to just get my head on this post.
First of all, we would like to thank again our Open WAF day Barcelona 2025 sponsor, Harness 👏 👏 👏 Without them setting this up would have been extremely difficult.
Now, we had around 20 people stopping by in our assigned room at the magnific CCIB. The agenda ended up being:
