Security 10967 Published by

OWASP Core Rule Set v4.28.0 released today delivers critical security patches including XML attribute inspection across attack rules and the elimination of catastrophic backtracking in Unix shell evasion detection. The update adds new protections for quote-based SQL injection evasion, ORM lookup operator injection, and RCE evasion prefixes while removing exponential backtracking from several performance-critical rules. The project also announced v4.25.0 as its first Long-Term Support release, providing enterprise stability as legacy CRS 3.3.x support wraps up in Q3 2026. Administrators can pull the new rules from GitHub immediately, though the team emphasizes CRS remains a pattern-matching safety net that requires proper tuning and cannot replace application-level security practices.



OWASP CRS v4.28.0 Drops With Security Fixes, Performance Patches, and a New LTS Track

The OWASP Core Rule Set just got a significant update. Version 4.28.0 landed today, July 2, 2026, and it’s packing a mix of security patches, performance tweaks, and new evasion detections. If you run ModSecurity or Coraza in front of your web apps, it’s worth grabbing.

CRS has been the default WAF policy for roughly two decades. Originally built by Trustwave in 2006, it eventually landed in the hands of the OWASP Foundation, where it grew into a flagship project with over 3,200 GitHub stars and more than 5,600 commits. The rules sit on top of engines like ModSecurity or the newer Go-based Coraza WAF, giving admins immediate coverage against the OWASP Top Ten without writing custom policies from scratch. It handles the heavy lifting so your application doesn’t have to.

Screenshot_from_2026_07_02_13_25_35

What’s Actually New

The headline changes are security-driven. The update extends XML attribute value inspection across all attack-detection rules, closing a gap that could let certain payloads slip past. It also nukes catastrophic backtracking in the Unix shell evasion prefix detection. That specific regex issue was flagged in a security advisory, and the team moved quickly to squash it.

On the detection front, you’ll get new rules for quote-based SQL injection evasion, ORM lookup operator injection, and uninitialized variable usage in RCE evasion prefixes. There’s also a big push on performance. Several rules, specifically 933160, 933161, 941140, and 933180, had exponential backtracking removed. That matters for high-traffic deployments, since a stalled WAF engine is basically a free pass for attackers.

The changes come from a rotating cast of contributors including Felipe Zipitría, Xhoenix, Esad Cetiner, and azurit. It’s the kind of distributed, community-driven work that makes open-source security actually work. The project has been around long enough that some admins probably remember when old rule numbering felt like deciphering a cipher. The current 900-series system is at least readable.

The LTS Shift and Why It Matters

Maybe the more important announcement buried in the release notes is the v4.25.0 Long-Term Support track. It’s the first LTS release in CRS history. The project is fully committing to regex-assembly, stabilizing the core detection engine, and quietly chipping away at persistent false positives. Enterprise teams will appreciate that predictability.

There’s also a hard deadline. CRS 3.3.x support wraps up in Q3 2026. If you’re still running legacy rules, you have a clear window to migrate. The project has published a seven-part migration guide that covers setup, false positive tuning, and engine-specific gotchas.

Keep in mind that CRS isn’t a magic shield. It scans for generic, commonly occurring malicious patterns, not application-specific logic bugs or missing authorization checks. False positives will still show up, even at the default Paranoia Level 1. Every rule evaluation adds latency. As the project documentation puts it, it’s a safety net, not a substitute for secure coding or proper patch management.

You can grab the latest rules from here. The v4.28.0 tarball, changelog, and migration docs are all up now. If you run Coraza or ModSecurity, a quick download and a reload of your WAF should get you on the new rules within the hour.