CVE-2026-33691 — Improper Handling of Case Sensitivity in Modsecurity Core Rule SET

CWE-178 — Improper Handling of Case Sensitivity5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 79.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Coreruleset Owasp Modsecurity Core Rule SET Debian Modsecurity-crs

Timeline

PublishedApr 2

Description

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This is…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDowasp/owasp_modsecurity_core_rule_set4.0.0 — 4.25.0+1

▶CVEListV5coreruleset/coreruleset< 3.3.9+1

▶debiandebian/modsecurity-crs< modsecurity-crs 3.3.9-1 (forky)

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33691: The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls↗2026-04-02

▶

OSV

CVE-2026-33691: [Whitespace padding in filenames bypasses file upload extension checks]↗2026-03-31

▶

📋Vendor Advisories

Debian

CVE-2026-33691: modsecurity-crs - The OWASP core rule set (CRS) is a set of generic attack detection rules for use...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33691 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶