Security Updates
- Last Updated: April 21, 2026
- 1 minute read
- LoadMaster
- LoadMaster LTSF
- Documentation
Refer to this knowledge base article for more information on the security vulnerabilities listed below.
Fix for CVE-2026-21876
Fixed an issue in the OWASP Core Rule Set that could occur when processing multipart requests with multiple parts, where malicious charsets in earlier parts can be missed if a later part has a legitimate charset. (LM-8555)
Fix for CVE-2026-3517
Fixed an issue that allowed an authenticated user to inject arbitrary OS commands through the API. (LM-8727)
Fix for CVE-2026-3518
Fixed an issue that allowed an authenticated user to inject arbitrary OS commands through the API. (LM-8604)
Fix for CVE-2026-3519
Fixed an issue that allowed an authenticated user to inject arbitrary OS commands through the API. (LM-8810)
Fix for CVE-2026-4048
Fixed an issue that allowed an authenticated user to cause a system reboot by uploading a carefully crafted custom Web Application Firewall (WAF) rule. (LM-8827)
WAF Updates
In this release, many WAF stability and bug fix updates have been back-ported from the General Availability (GA) branch version 7.2.63.0. These include the following:
- The ModSecurity engine updated to version 2.9.12.
- The OWASP Core Rule Set (CRS) updated to version 3.3.8.
- Fixes for various issues with processing chunked requests.
- Logging stability fixes.