Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
Published: 2026-04-02
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass of file extension checks allowing upload of hazardous script files
Action: Immediate Patch
AI Analysis

Impact

The OWASP Core Rule Set does not normalize whitespace before evaluating the file‐extension regex. An attacker can therefore pad a filename with spaces (e.g., photo. php) to bypass the extension check. This permits upload of files with malicious extensions such as .php, .phar, .jsp, or .jspx. The weakness is classified as CWE‑178. The consequence of a successful bypass is that the attacker can host and run these files on the web server, leading to potential remote code execution, data compromise, and service disruption.

Affected Systems

The vulnerability applies to the OWASP Core Rule Set in all versions earlier than 3.3.9 and 4.25.0. Any web application firewall configuration that incorporates the CRS rule set and relies on CRS for file‑upload validation is impacted. No specific vendor product names beyond the rule set itself are listed.

Risk and Exploitability

The CVSS base score is 6.8, indicating moderate severity. No EPSS score is provided, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. An attacker would need remote access to a file‑upload endpoint that is governed by CRS to exploit this weakness. Successful exploitation would likely lead to remote code execution or a similar compromise of the application.

Generated by OpenCVE AI on April 2, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OWASP Core Rule Set to version 3.3.9 or later
  • Upgrade to version 4.25.0 or later if available
  • Implement additional server‑side validation to reject filenames containing whitespace or disallowed extensions

Generated by OpenCVE AI on April 2, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Coreruleset
Coreruleset coreruleset
Vendors & Products Coreruleset
Coreruleset coreruleset
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
Title OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks
Weaknesses CWE-178
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Coreruleset Coreruleset
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T05:33:10.025Z

Reserved: 2026-03-23T16:34:59.932Z

Link: CVE-2026-33691

cve-icon Vulnrichment

Updated: 2026-04-03T05:33:10.025Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T16:16:22.593

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-33691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:12Z

Weaknesses