Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
Published: 2026-04-02
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted file upload leading to potential code execution
Action: Immediate Patch
AI Analysis

Impact

The OWASP Core Rule Set failed to trim whitespace in filenames before applying the extension‑checking regular expression, creating a CWE‑178 weakness. By inserting a space before the dot, an attacker can craft a filename such as photo. php or shell.jsp that bypasses the rule set’s file‑type check. If the vulnerable WAF accepts the file and places it in an executable location, the attacker could execute arbitrary code, compromising the application and potentially the underlying server.

Affected Systems

Deployments that use the OWASP CRS before version 3.3.9 or 4.25.0 are affected, including any web application firewall or mod_security configuration that incorporates the unpatched core rule set. This encompasses sites using the Core Rule Set with earlier releases without upgrades.

Risk and Exploitability

The CVSS score of 6.8 indicates medium severity, while the EPSS score is below 1 %, suggesting a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a file‑upload endpoint that accepts user‑supplied filenames; an attacker submits a file with a padded extension, and the server stores it uninspected. If the upload directory is executable, remote code execution becomes possible.

Generated by OpenCVE AI on April 7, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OWASP CRS to version 3.3.9 or later (including 4.25.0) and ensure the new rule set is loaded by the WAF.
  • Restart the web server or WAF so that the updated rules take effect.
  • Verify that the application’s upload handler accepts only the intended file types and does not execute files in the upload directory.

Generated by OpenCVE AI on April 7, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Owasp
Owasp owasp Modsecurity Core Rule Set
CPEs cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:*
Vendors & Products Owasp
Owasp owasp Modsecurity Core Rule Set

Fri, 03 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Coreruleset
Coreruleset coreruleset
Vendors & Products Coreruleset
Coreruleset coreruleset
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
Title OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks
Weaknesses CWE-178
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Coreruleset Coreruleset
Owasp Owasp Modsecurity Core Rule Set
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T19:16:54.006Z

Reserved: 2026-03-23T16:34:59.932Z

Link: CVE-2026-33691

cve-icon Vulnrichment

Updated: 2026-04-18T19:16:54.006Z

cve-icon NVD

Status : Modified

Published: 2026-04-02T16:16:22.593

Modified: 2026-04-18T20:16:29.633

Link: CVE-2026-33691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:39Z

Weaknesses