CVE-2026-33691

Name of the Vulnerable Software and Affected Versions OWASP Core Rule Set (CRS) versions prior to 3.3.9 and prior to 4.25.0

Description The OWASP Core Rule Set (CRS) contains a flaw where whitespace padding in filenames can bypass file upload extension checks. This allows the upload of dangerous files such as .php, .phar, .jsp, and .jspx. The affected rules do not normalize whitespace before evaluating the file extension regex, leading to a failure in the dot-extension check. Exploitation is most practical on Windows systems.

Recommendations Upgrade to OWASP CRS version 3.3.9 or 4.25.0.