Progress Software has patched a critical WAF bypass vulnerability (CVE-2026-21876, CVSS 9.3) in the OWASP ModSecurity Core Rule Set used by MOVEit WAF. The flaw affects OWASP ModSecurity Core Rule Set versions prior to 3.3.8 and versions 4.0.0 through 4.21.x. Users must upgrade to version 3.3.8 or 4.22.0 to remediate the issue.
Progress Software has fixed a slew of high-severity vulnerabilities in MOVEit WAF and LoadMaster, including a flaw (CVE-2026-21876) that may allow attackers to bypass firewall detection. MOVEit WAF (web application firewall) is designed to protect Progress’s managed file transfer platform MOVEit Transfer from web-based attacks. (A zero-day vulnerability in MOVEit Transfer was infamously exploited in 2023 by the Cl0p cyber extortion gang to grab data from hundreds of organizations.) LoadMaster is the company’s general-purpose enterprise … More → The post Progress Software fixes sneaky WAF bypass vulnerability (CVE-2026-21876) appeared first on Help Net Security .