[oss-security] Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability

[cyber security]

Deep analysis by US confirm, that using CVE-2026-33691, in any
platform wheter windows or linux or mac, you can bypass unpatched CRS
and use CVE-2015-10138

as confirmed, as we see in that line

```
   1   // Lines 493-498 of public/includes/UploadHandler.php
   2   protected function trim_file_name($name, $type = null, $index =
null, $content_range = null) {
   3       // Remove path information and dots around the filename...
   4       // Also remove control characters and spaces (\x00..\x20)
around the filename:
   5       $name = trim(basename(stripslashes($name)), ".\x00..\x20");
   6       // ...
   7   }
```

It unlocks the old CVE-2015-10138 and an attacker get RCE if WAFs are
not patched, that unlocks the old vuln power against a modern WAF,
most peoples rely only on the WAF alone and `Work The Flow File
Upload` plugin is never patched and even run **EOL** that is very
common, That is the danger, after that confirm, we see one wordpress
plugin confirmed trims whitespaces from uploaded files

On Sun, Mar 29, 2026 at 3:33 AM cyber security <cs7778...@gmail.com> wrote:
>
> A vulnerability was identified in OWASP CRS where whitespace padding
> in filenames can bypass file upload extension checks, allowing uploads
> of dangerous files such as .php, .phar, .jsp, and .jspx. This issue
> has been assigned CVE‑2026‑33691.
>
> Impact: Attackers may evade CRS protections and upload web shells
> disguised with whitespace‑padded extensions. Exploitation is most
> practical on Windows backends that normalize whitespace in filenames
> before execution, In linux harder because it require a backend that
> use like `.strip()` and `.trim()` and other whitespace trimming
> methods depending on the language here vulnerable to that or the
> webserver strip whitespaces or the backend on general, If not they not
> vulnerable to that.
>
> Fix: Patched in CRS v3.3.9, v4.25.x LTS, and v4.8.x. Security fixes
> are always backported to supported branches.
>
> References:
>
> Full advisory: 
> https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w
>
> Credits: Reported by RelunSec (aka @HackingRepo on Github).