๐Ÿ” CVE Alert

CVE-2026-33691

MEDIUM 6.8

OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks

CVSS Score
6.8
EPSS Score
0.0%
EPSS Percentile
0th

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.

CWE CWE-178
Vendor coreruleset
Product coreruleset
Published Apr 2, 2026
Last Updated Apr 3, 2026
Stay Ahead of the Next One

Get instant alerts for coreruleset coreruleset

Be the first to know when new medium vulnerabilities affecting coreruleset coreruleset are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Affected Versions

coreruleset / coreruleset
< 3.3.9 >= 4.0.0-rc1, < 4.25.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w github.com: https://github.com/coreruleset/coreruleset/pull/4546 github.com: https://github.com/coreruleset/coreruleset/pull/4547 github.com: https://github.com/coreruleset/coreruleset/pull/4548 github.com: https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02 github.com: https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9 github.com: https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0 openwall.com: http://www.openwall.com/lists/oss-security/2026/03/29/2 seclists.org: http://seclists.org/fulldisclosure/2026/Apr/0