From e51546cd4233c92677fd336bf4aebdba218dac32 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:30:27 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-21643 rule --- .../crowdsecurity/vpatch-CVE-2026-21643.yaml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-21643.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-21643.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-21643.yaml new file mode 100644 index 00000000000..a7c4f33f283 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-21643.yaml @@ -0,0 +1,33 @@ +## autogenerated on 2026-04-15 13:30:23 +name: crowdsecurity/vpatch-CVE-2026-21643 +description: 'Detects SQL injection in Fortinet FortiClientEMS via the Site HTTP header on /api/v1/init_consts.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /api/v1/init_consts + - zones: + - HEADERS + variables: + - site + transform: + - lowercase + match: + type: contains + value: ';' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'FortiClientEMS - SQLI' + classification: + - cve.CVE-2026-21643 + - attack.T1190 + - cwe.CWE-89 From c92c2854628d52969a3ee63f20af9ee8db7c22cf Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:30:30 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-21643 test config --- .appsec-tests/vpatch-CVE-2026-21643/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-21643/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-21643/config.yaml b/.appsec-tests/vpatch-CVE-2026-21643/config.yaml new file mode 100644 index 00000000000..157a2509083 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-21643/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-04-15 13:30:23 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-21643.yaml +nuclei_template: CVE-2026-21643.yaml From 59efb09f194fe015c2b537000e365caf635f797d Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:30:32 +0200 Subject: [PATCH 3/4] Add CVE-2026-21643.yaml test --- .../vpatch-CVE-2026-21643/CVE-2026-21643.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-21643/CVE-2026-21643.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-21643/CVE-2026-21643.yaml b/.appsec-tests/vpatch-CVE-2026-21643/CVE-2026-21643.yaml new file mode 100644 index 00000000000..f1fde85d097 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-21643/CVE-2026-21643.yaml @@ -0,0 +1,19 @@ +## autogenerated on 2026-04-15 13:30:23 +id: CVE-2026-21643 +info: + name: CVE-2026-21643 + author: crowdsec + severity: info + description: CVE-2026-21643 testing + tags: appsec-testing +http: + - raw: + - | + GET /api/v1/init_consts HTTP/1.1 + Host: {{Hostname}} + Site: tenant1; SELECT pg_sleep(8)-- + cookie-reuse: true + matchers: + - type: status + status: + - 403 From ada7e98eb22831d93ffd4934612cbfbb6689ff4c Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:30:34 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-21643 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 7ccf9a8bf03..d51e4cbed1c 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -122,6 +122,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2019-5418 - crowdsecurity/vpatch-CVE-2025-52488 - crowdsecurity/vpatch-CVE-2025-49132 +- crowdsecurity/vpatch-CVE-2026-21643 - crowdsecurity/vpatch-CVE-2025-47812 - crowdsecurity/vpatch-CVE-2024-51977 - crowdsecurity/vpatch-CVE-2022-31499