7.5

CVE-2026-33691

Medienbericht

OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OwaspOwasp Modsecurity Core Rule Set Version >= 4.0.0 < 4.25.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.17% 0.801
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com 6.8 2.2 4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE-178 Improper Handling of Case Sensitivity

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
30.06.2026 11:26
https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w
Patch
Vendor Advisory
Mitigation
https://github.com/coreruleset/coreruleset/pull/4546
Patch
Issue Tracking
https://github.com/coreruleset/coreruleset/pull/4547
Patch
Issue Tracking
https://github.com/coreruleset/coreruleset/pull/4548
Patch
https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02
Patch
https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9
Product
Release Notes
https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0
Product
Release Notes
http://www.openwall.com/lists/oss-security/2026/03/29/2
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2026/Apr/0
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/04/18/4