A vulnerability was identified in OWASP CRS where whitespace padding in filenames can bypass file upload extension checks, allowing uploads of dangerous files such as .php, .phar, .jsp, and .jspx. Impact: Attackers may evade CRS protections and upload web shells disguised with whitespace‑padded extensions. Exploitation is most practical on Windows backends that normalize whitespace in filenames before execution, In linux harder because it require a backend that use like `.strip()` and `.trim()` and other whitespace trimming methods depending on the language here vulnerable to that or the webserver strip whitespaces or the backend on general, If not they not vulnerable to that.
| Vendor | Product | Versions |
|---|---|---|
| owasp | owasp_modsecurity_core_rule_set | < 3.3.9, >= 4.0.0-rc1, < 4.25.0, v4.25.x LTS, v4.8.x |
Updated description with detailed exploitation methods, added affected versions v4.25.x LTS and v4.8.x, and included new URLs and tags.
Added a more detailed description of the vulnerability and confirmed the tag CVE-2026-33691.
Marked exploit availability as true, actively exploited status as true, and added new tags for CVE-2026-33691 and CVE-2015-10138.
Initial creation
