Medium severity6.8NVD Advisory· Published Apr 2, 2026· Updated Apr 18, 2026
CVE-2026-33691
CVE-2026-33691
Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
Affected products
1- cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:*Range: <3.3.9
Patches
12a8c63512811https://github.com/coreruleset/corerulesetvia nvd-ref
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02nvdPatch
- github.com/coreruleset/coreruleset/pull/4546nvdIssue TrackingPatch
- github.com/coreruleset/coreruleset/pull/4547nvdIssue TrackingPatch
- github.com/coreruleset/coreruleset/pull/4548nvdPatch
- github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2wnvdMitigationPatchVendor Advisory
- seclists.org/fulldisclosure/2026/Apr/0nvdMailing ListThird Party Advisory
- www.openwall.com/lists/oss-security/2026/03/29/2nvdMailing ListThird Party Advisory
- github.com/coreruleset/coreruleset/releases/tag/v3.3.9nvdProductRelease Notes
- github.com/coreruleset/coreruleset/releases/tag/v4.25.0nvdProductRelease Notes
- www.openwall.com/lists/oss-security/2026/04/18/4nvd
News mentions
0No linked articles in our index yet.