Add vpatch-CVE-2026-21643 rule and test

[crowdsec-automation]

This rule detects SQL injection attempts targeting the Fortinet FortiClientEMS /api/v1/init_consts endpoint via the Site HTTP header. The detection logic is as follows:

• The first rule block matches requests where the URI contains "/api/v1/init_consts", ensuring the rule only applies to the vulnerable endpoint.
• The second rule block inspects the Site HTTP header for the presence of a semicolon (";"), which is a strong indicator of SQL injection attempts (as shown in the nuclei template payload: "Site: tenant1; SELECT pg_sleep(8)--"). The lowercase transform is applied to ensure case-insensitive matching.
• The rule avoids matching on specific SQL keywords to reduce false positives and instead focuses on the SQL metacharacter ";" in the context of the Site header, which is unlikely to be used legitimately.
• Labels and classification are set according to the CVE and CWE references from the nuclei template.

Validation checklist:

• All match values are lowercase.
• Transforms include lowercase where applicable.
• No match.value contains capital letters.
• The rule uses contains instead of regex where applicable.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2026-21643 🔴

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

[github-actions]

Hello @buixor and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2023-6623 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6567 🔴
🔴 crowdsecurity/vpatch-CVE-2023-4634 🔴
🔴 crowdsecurity/vpatch-CVE-2023-3197 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6360 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1071 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23488 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23489 🔴
🔴 crowdsecurity/vpatch-CVE-2022-3254 🔴
🔴 crowdsecurity/vpatch-CVE-2023-2009 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0900 🔴
🔴 crowdsecurity/vpatch-CVE-2025-40552 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1061 🔴

[github-actions]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

[github-actions]

Hello @buixor and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2023-6623 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6567 🔴
🔴 crowdsecurity/vpatch-CVE-2023-4634 🔴
🔴 crowdsecurity/vpatch-CVE-2023-3197 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6360 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1071 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23488 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23489 🔴
🔴 crowdsecurity/vpatch-CVE-2022-3254 🔴
🔴 crowdsecurity/vpatch-CVE-2023-2009 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0900 🔴
🔴 crowdsecurity/vpatch-CVE-2025-40552 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1061 🔴

[github-actions]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.