CVE-2026-33691

MEDIUM

OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks

Title source: cna

Description

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.

References (10)

[X_Refsource_Confirm] https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w

[X_Refsource_Misc] https://github.com/coreruleset/coreruleset/pull/4546

[X_Refsource_Misc] https://github.com/coreruleset/coreruleset/pull/4547

[X_Refsource_Misc] https://github.com/coreruleset/coreruleset/pull/4548

[X_Refsource_Misc] https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9

[X_Refsource_Misc] https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0

[Mailing List] http://www.openwall.com/lists/oss-security/2026/03/29/2

[Mailing List] http://seclists.org/fulldisclosure/2026/Apr/0

[Mailing List] http://www.openwall.com/lists/oss-security/2026/04/18/4

Scores

CVSS v3 6.8

EPSS 0.0003

EPSS Percentile 8.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-178

Status published

Products (3)

coreruleset/coreruleset < 3.3.9

coreruleset/coreruleset >= 4.0.0-rc1, < 4.25.0

owasp/owasp_modsecurity_core_rule_set < 3.3.9

Published Apr 02, 2026

Tracked Since Apr 02, 2026