Refer to this knowledge base article for more information on the security vulnerabilities listed below.

Fix for CVE-2026-21876

Fixed an issue in the OWASP Core Rule Set that could occur when processing multipart requests with multiple parts, where malicious charsets in earlier parts can be missed if a later part has a legitimate charset. (LM-8555)

Fix for CVE-2026-3517

Fixed an issue that allowed an authenticated user to inject arbitrary OS commands through the API. (LM-8727)

Fix for CVE-2026-3518

Fixed an issue that allowed an authenticated user to inject arbitrary OS commands through the API. (LM-8604)

Fix for CVE-2026-3519

Fixed an issue that allowed an authenticated user to inject arbitrary OS commands through the API. (LM-8810)

Fix for CVE-2026-4048

Fixed an issue that allowed an authenticated user to cause a system reboot by uploading a carefully crafted custom Web Application Firewall (WAF) rule. (LM-8827)