OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks
Summary
| CVE | CVE-2026-33691 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-02 16:16:22 UTC |
| Updated | 2026-04-18 20:16:29 UTC |
| Description | The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS: 0.000540000 probability, percentile 0.168820000 (date 2026-04-07)
Problem Types: CWE-178 | CWE-178 CWE-178: Improper Handling of Case Sensitivity
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | [email protected] | Secondary | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N |
| 3.1 | CNA | DECLARED | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Owasp | Owasp Modsecurity Core Rule Set | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Coreruleset | Coreruleset | affected < 3.3.9 | Not specified |
| CNA | Coreruleset | Coreruleset | affected >= 4.0.0-rc1, < 4.25.0 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w | [email protected] | github.com | Mitigation, Patch, Vendor Advisory |
| www.openwall.com/lists/oss-security/2026/03/29/2 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| github.com/coreruleset/coreruleset/pull/4546 | [email protected] | github.com | Issue Tracking, Patch |
| github.com/coreruleset/coreruleset/pull/4547 | [email protected] | github.com | Issue Tracking, Patch |
| github.com/coreruleset/coreruleset/releases/tag/v3.3.9 | [email protected] | github.com | Product, Release Notes |
| github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a... | [email protected] | github.com | Patch |
| seclists.org/fulldisclosure/2026/Apr/0 | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | Mailing List, Third Party Advisory |
| github.com/coreruleset/coreruleset/releases/tag/v4.25.0 | [email protected] | github.com | Product, Release Notes |
| www.openwall.com/lists/oss-security/2026/04/18/4 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| github.com/coreruleset/coreruleset/pull/4548 | [email protected] | github.com | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.