CVE-2026-33691 - Vulnerability Details

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02
https://github.com/coreruleset/coreruleset/pull/4546
https://github.com/coreruleset/coreruleset/pull/4547
https://github.com/coreruleset/coreruleset/pull/4548
https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9
https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0
https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w

History

Thu, 02 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
Title		OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks
Weaknesses		CWE-178
References		https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02 https://github.com/coreruleset/coreruleset/pull/4546 https://github.com/coreruleset/coreruleset/pull/4547 https://github.com/coreruleset/coreruleset/pull/4548 https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9 https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0 https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w
Metrics		cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-02T15:03:52.126Z

Updated: 2026-04-02T15:25:25.719Z

Reserved: 2026-03-23T16:34:59.932Z

Link: CVE-2026-33691

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object