1. Home
  2. CVE Database
  3. CVE-2026-33691
MEDIUM · 6.8

CVE-2026-33691

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS tha...

Vulnerability Description

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.

CVSS Score

6.8

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
OwaspOwasp Modsecurity Core Rule Set< 3.3.9

Related Weaknesses (CWE)

CWE-178

References

FAQ

What is CVE-2026-33691?

CVE-2026-33691 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS tha...

How severe is CVE-2026-33691?

CVE-2026-33691 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-33691?

Check the references section above for vendor advisories and patch information. Affected products include: Owasp Owasp Modsecurity Core Rule Set.