Description

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.

INFO

Published Date :

2026-04-02T15:03:52.126Z

Last Modified :

2026-04-02T17:38:10.247Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33691 vulnerability.

Vendors Products
Coreruleset
  • Coreruleset
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33691.

URL Resource
http://www.openwall.com/lists/oss-security/2026/03/29/2 cve-icon
https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02 cve-icon cve-icon
https://github.com/coreruleset/coreruleset/pull/4546 cve-icon cve-icon
https://github.com/coreruleset/coreruleset/pull/4547 cve-icon cve-icon
https://github.com/coreruleset/coreruleset/pull/4548 cve-icon cve-icon
https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9 cve-icon cve-icon
https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0 cve-icon cve-icon
https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact