{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33691", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.932Z", "datePublished": "2026-04-02T15:03:52.126Z", "dateUpdated": "2026-04-18T19:16:54.006Z"}, "containers": {"cna": {"title": "OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks", "problemTypes": [{"descriptions": [{"cweId": "CWE-178", "lang": "en", "description": "CWE-178: Improper Handling of Case Sensitivity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w"}, {"name": "https://github.com/coreruleset/coreruleset/pull/4546", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/pull/4546"}, {"name": "https://github.com/coreruleset/coreruleset/pull/4547", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/pull/4547"}, {"name": "https://github.com/coreruleset/coreruleset/pull/4548", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/pull/4548"}, {"name": "https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02"}, {"name": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9"}, {"name": "https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0"}], "affected": [{"vendor": "coreruleset", "product": "coreruleset", "versions": [{"version": "< 3.3.9", "status": "affected"}, {"version": ">= 4.0.0-rc1, < 4.25.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T15:03:52.126Z"}, "descriptions": [{"lang": "en", "value": "The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0."}], "source": {"advisory": "GHSA-rw5f-9w43-gv2w", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/29/2"}, {"url": "http://seclists.org/fulldisclosure/2026/Apr/0"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/18/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-18T19:16:54.006Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:38:01.007742Z", "id": "CVE-2026-33691", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:38:10.247Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/29/2"}, {"url": "http://seclists.org/fulldisclosure/2026/Apr/0"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/18/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-18T19:16:54.006Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33691", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T17:38:01.007742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:38:04.990Z"}}], "cna": {"title": "OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks", "source": {"advisory": "GHSA-rw5f-9w43-gv2w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "coreruleset", "product": "coreruleset", "versions": [{"status": "affected", "version": "< 3.3.9"}, {"status": "affected", "version": ">= 4.0.0-rc1, < 4.25.0"}]}], "references": [{"url": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w", "name": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/coreruleset/coreruleset/pull/4546", "name": "https://github.com/coreruleset/coreruleset/pull/4546", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreruleset/coreruleset/pull/4547", "name": "https://github.com/coreruleset/coreruleset/pull/4547", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreruleset/coreruleset/pull/4548", "name": "https://github.com/coreruleset/coreruleset/pull/4548", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02", "name": "https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9", "name": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0", "name": "https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-178", "description": "CWE-178: Improper Handling of Case Sensitivity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T15:03:52.126Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33691", "state": "PUBLISHED", "dateUpdated": "2026-04-18T19:16:54.006Z", "dateReserved": "2026-03-23T16:34:59.932Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T15:03:52.126Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:*", "matchCriteriaId": "33F8A888-1ED5-40BC-B1B9-7AA88411B0E0", "versionEndExcluding": "3.3.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:*", "matchCriteriaId": "8822CE75-E018-4576-B30B-A25A1A2F60E0", "versionEndExcluding": "4.25.0", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0."}], "id": "CVE-2026-33691", "lastModified": "2026-04-18T20:16:29.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-02T16:16:22.593", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/coreruleset/coreruleset/pull/4546"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/coreruleset/coreruleset/pull/4547"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/coreruleset/coreruleset/pull/4548"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2026/Apr/0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/03/29/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/18/4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-178"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-rc1,4.25.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coreruleset", "source": "cna", "vendor": "coreruleset"}, "product": "coreruleset", "vendor": "coreruleset"}], "analysis": {"en": {"generated_at": "2026-04-07T20:51:17.325697+00:00", "value": {"mitigation_remediation": ["Upgrade OWASP CRS to version\u202f3.3.9 or later (including\u202f4.25.0) and ensure the new rule set is loaded by the WAF.", "Restart the web server or WAF so that the updated rules take effect.", "Verify that the application\u2019s upload handler accepts only the intended file types and does not execute files in the upload directory."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted file upload leading to potential code execution"}, "threat_synthesis": {"affected_systems": "Deployments that use the OWASP CRS before version\u202f3.3.9 or 4.25.0 are affected, including any web application firewall or mod_security configuration that incorporates the unpatched core rule set. This encompasses sites using the Core Rule Set with earlier releases without upgrades.", "description_and_impact": "The OWASP Core Rule Set failed to trim whitespace in filenames before applying the extension\u2011checking regular expression, creating a CWE\u2011178 weakness. By inserting a space before the dot, an attacker can craft a filename such as photo. php or shell.jsp that bypasses the rule set\u2019s file\u2011type check. If the vulnerable WAF accepts the file and places it in an executable location, the attacker could execute arbitrary code, compromising the application and potentially the underlying server.", "risk_and_exploitability": "The CVSS score of 6.8 indicates medium severity, while the EPSS score is below 1\u202f%, suggesting a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a file\u2011upload endpoint that accepts user\u2011supplied filenames; an attacker submits a file with a padded extension, and the server stores it uninspected. If the upload directory is executable, remote code execution becomes possible."}}}}, "created": "2026-04-02T20:11:31.405972+00:00", "updated": "2026-04-08T19:55:39.513315+00:00", "vendors": ["coreruleset", "coreruleset$PRODUCT$coreruleset"]}