CVE-2026-33691

EPSS 0.03%
Veröffentlicht 02.04.2026 15:03:52
Zuletzt bearbeitet 18.04.2026 20:16:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 13

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Owasp ≫ Owasp Modsecurity Core Rule Set Version < 3.3.9

Owasp ≫ Owasp Modsecurity Core Rule Set Version >= 4.0.0 < 4.25.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.09

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	6.8	2.2	4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE-178 Improper Handling of Case Sensitivity

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w

Patch

Vendor Advisory

Mitigation

https://github.com/coreruleset/coreruleset/pull/4546

Patch

Issue Tracking

https://github.com/coreruleset/coreruleset/pull/4547

Patch

Issue Tracking

https://github.com/coreruleset/coreruleset/pull/4548

Patch