Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAPmip_xXkz6hjTUUKbaHr1hwq5ROfpNwn5Rq-t9cxMgs6uXhZQ@mail.gmail.com>
Date: Sun, 29 Mar 2026 03:33:11 -0400
From: cyber security <cs7778503@...il.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability

A vulnerability was identified in OWASP CRS where whitespace padding
in filenames can bypass file upload extension checks, allowing uploads
of dangerous files such as .php, .phar, .jsp, and .jspx. This issue
has been assigned CVE‑2026‑33691.

Impact: Attackers may evade CRS protections and upload web shells
disguised with whitespace‑padded extensions. Exploitation is most
practical on Windows backends that normalize whitespace in filenames
before execution, In linux harder because it require a backend that
use like `.strip()` and `.trim()` and other whitespace trimming
methods depending on the language here vulnerable to that or the
webserver strip whitespaces or the backend on general, If not they not
vulnerable to that.

Fix: Patched in CRS v3.3.9, v4.25.x LTS, and v4.8.x. Security fixes
are always backported to supported branches.

References:

Full advisory: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w

Credits: Reported by RelunSec (aka @HackingRepo on Github).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.