File Upload Bypass in OWASP Core Rule Set by Inserting Whitespace
CVE-2026-33691

6.8MEDIUM

Key Information:

Vendor

Coreruleset

Status
Coreruleset
Vendor
CVE Published:
2 April 2026

What is CVE-2026-33691?

A file upload bypass vulnerability exists in the OWASP Core Rule Set. This issue arises from a failure to normalize whitespace before evaluating file extensions, allowing attackers to upload files with potentially dangerous extensions such as .php, .phar, .jsp, and .jspx. By exploiting this vulnerability, one can insert whitespace in the filename, resulting in a failure of the dot-extension check. This significantly undermines the security posture of applications utilizing the affected versions of the OWASP CRS. Patches have been released in versions 3.3.9 and 4.25.0 to address this issue effectively.

Affected Version(s)

coreruleset < 3.3.9 < 3.3.9

coreruleset >= 4.0.0-rc1, < 4.25.0 < 4.0.0-rc1, 4.25.0

References

https://github.com/coreruleset/coreruleset/security/advis...
x_refsource_CONFIRM
https://github.com/coreruleset/coreruleset/pull/4546
x_refsource_MISC
https://github.com/coreruleset/coreruleset/pull/4547
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.