{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33691", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.932Z", "datePublished": "2026-04-02T15:03:52.126Z", "dateUpdated": "2026-04-02T17:38:10.247Z"}, "containers": {"cna": {"title": "OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks", "problemTypes": [{"descriptions": [{"cweId": "CWE-178", "lang": "en", "description": "CWE-178: Improper Handling of Case Sensitivity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w"}, {"name": "https://github.com/coreruleset/coreruleset/pull/4546", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/pull/4546"}, {"name": "https://github.com/coreruleset/coreruleset/pull/4547", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/pull/4547"}, {"name": "https://github.com/coreruleset/coreruleset/pull/4548", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/pull/4548"}, {"name": "https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02"}, {"name": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9"}, {"name": "https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0"}], "affected": [{"vendor": "coreruleset", "product": "coreruleset", "versions": [{"version": "< 3.3.9", "status": "affected"}, {"version": ">= 4.0.0-rc1, < 4.25.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T15:03:52.126Z"}, "descriptions": [{"lang": "en", "value": "The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0."}], "source": {"advisory": "GHSA-rw5f-9w43-gv2w", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/29/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-02T15:25:25.719Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:38:01.007742Z", "id": "CVE-2026-33691", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:38:10.247Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/29/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-02T15:25:25.719Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33691", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T17:38:01.007742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:38:04.990Z"}}], "cna": {"title": "OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks", "source": {"advisory": "GHSA-rw5f-9w43-gv2w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "coreruleset", "product": "coreruleset", "versions": [{"status": "affected", "version": "< 3.3.9"}, {"status": "affected", "version": ">= 4.0.0-rc1, < 4.25.0"}]}], "references": [{"url": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w", "name": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/coreruleset/coreruleset/pull/4546", "name": "https://github.com/coreruleset/coreruleset/pull/4546", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreruleset/coreruleset/pull/4547", "name": "https://github.com/coreruleset/coreruleset/pull/4547", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreruleset/coreruleset/pull/4548", "name": "https://github.com/coreruleset/coreruleset/pull/4548", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02", "name": "https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9", "name": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0", "name": "https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-178", "description": "CWE-178: Improper Handling of Case Sensitivity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T15:03:52.126Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33691", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:38:10.247Z", "dateReserved": "2026-03-23T16:34:59.932Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T15:03:52.126Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0."}], "id": "CVE-2026-33691", "lastModified": "2026-04-02T16:16:22.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T16:16:22.593", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02"}, {"source": "security-advisories@github.com", "url": "https://github.com/coreruleset/coreruleset/pull/4546"}, {"source": "security-advisories@github.com", "url": "https://github.com/coreruleset/coreruleset/pull/4547"}, {"source": "security-advisories@github.com", "url": "https://github.com/coreruleset/coreruleset/pull/4548"}, {"source": "security-advisories@github.com", "url": "https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9"}, {"source": "security-advisories@github.com", "url": "https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/29/2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-178"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-rc1,4.25.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "coreruleset", "source": "cna", "vendor": "coreruleset"}, "product": "coreruleset", "vendor": "coreruleset"}], "analysis": {"en": {"generated_at": "2026-04-02T16:21:09.081235+00:00", "value": {"mitigation_remediation": ["Upgrade the OWASP Core Rule Set to version 3.3.9 or later", "Upgrade to version 4.25.0 or later if available", "Implement additional server\u2011side validation to reject filenames containing whitespace or disallowed extensions"], "summary": {"action": "Immediate Patch", "impact": "Bypass of file extension checks allowing upload of hazardous script files"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the OWASP Core Rule Set in all versions earlier than 3.3.9 and 4.25.0. Any web application firewall configuration that incorporates the CRS rule set and relies on CRS for file\u2011upload validation is impacted. No specific vendor product names beyond the rule set itself are listed.", "description_and_impact": "The OWASP Core Rule Set does not normalize whitespace before evaluating the file\u2010extension regex. An attacker can therefore pad a filename with spaces (e.g., photo. php) to bypass the extension check. This permits upload of files with malicious extensions such as .php, .phar, .jsp, or .jspx. The weakness is classified as CWE\u2011178. The consequence of a successful bypass is that the attacker can host and run these files on the web server, leading to potential remote code execution, data compromise, and service disruption.", "risk_and_exploitability": "The CVSS base score is 6.8, indicating moderate severity. No EPSS score is provided, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. An attacker would need remote access to a file\u2011upload endpoint that is governed by CRS to exploit this weakness. Successful exploitation would likely lead to remote code execution or a similar compromise of the application."}}}}, "created": "2026-04-02T20:11:31.405972+00:00", "updated": "2026-04-02T20:20:12.892355+00:00", "vendors": ["coreruleset", "coreruleset$PRODUCT$coreruleset"]}