CVE-2026-33691

Description

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.

PUBLISHED Reserved 2026-03-23 | Published 2026-04-02 | Updated 2026-04-18 | Assigner GitHub_M

Problem types

CWE-178: Improper Handling of Case Sensitivity

Product status

References

www.openwall.com/lists/oss-security/2026/03/29/2

seclists.org/fulldisclosure/2026/Apr/0

www.openwall.com/lists/oss-security/2026/04/18/4

github.com/...uleset/security/advisories/GHSA-rw5f-9w43-gv2w

github.com/coreruleset/coreruleset/pull/4546

github.com/coreruleset/coreruleset/pull/4547

github.com/coreruleset/coreruleset/pull/4548

github.com/...ommit/2a8c63512811c5dd74472becebb79a783e68ff02

github.com/coreruleset/coreruleset/releases/tag/v3.3.9

github.com/coreruleset/coreruleset/releases/tag/v4.25.0

cve.org (CVE-2026-33691)

nvd.nist.gov (CVE-2026-33691)

Download JSON