Medium severity6.8NVD Advisory· Published Apr 2, 2026· Updated Apr 18, 2026
CVE-2026-33691
CVE-2026-33691
Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:*Range: <3.3.9
Patches
Vulnerability mechanics
References
10- github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02nvdPatch
- github.com/coreruleset/coreruleset/pull/4546nvdIssue TrackingPatch
- github.com/coreruleset/coreruleset/pull/4547nvdIssue TrackingPatch
- github.com/coreruleset/coreruleset/pull/4548nvdPatch
- github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2wnvdMitigationPatchVendor Advisory
- seclists.org/fulldisclosure/2026/Apr/0nvdMailing ListThird Party Advisory
- www.openwall.com/lists/oss-security/2026/03/29/2nvdMailing ListThird Party Advisory
- github.com/coreruleset/coreruleset/releases/tag/v3.3.9nvdProductRelease Notes
- github.com/coreruleset/coreruleset/releases/tag/v4.25.0nvdProductRelease Notes
- www.openwall.com/lists/oss-security/2026/04/18/4nvd
News mentions
1- Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-AuthThe Hacker News · Jun 30, 2026