After deep analysis we confirm, that CVE-2026-33691 aka it alias UnlockOldUpload, can even disable ModSecurity WAF
More info at https://unlockoldupload.hashnode.dev/disable-modsecurity-waf-using-cve-2026-33691. On Thu, Apr 16, 2026 at 3:37 PM cyber security <[email protected]> wrote: > > Deep analysis by US confirm, that using CVE-2026-33691, in any > platform wheter windows or linux or mac, you can bypass unpatched CRS > and use CVE-2015-10138 > > as confirmed, as we see in that line > > ``` > 1 // Lines 493-498 of public/includes/UploadHandler.php > 2 protected function trim_file_name($name, $type = null, $index = > null, $content_range = null) { > 3 // Remove path information and dots around the filename... > 4 // Also remove control characters and spaces (\x00..\x20) > around the filename: > 5 $name = trim(basename(stripslashes($name)), ".\x00..\x20"); > 6 // ... > 7 } > ``` > > It unlocks the old CVE-2015-10138 and an attacker get RCE if WAFs are > not patched, that unlocks the old vuln power against a modern WAF, > most peoples rely only on the WAF alone and `Work The Flow File > Upload` plugin is never patched and even run **EOL** that is very > common, That is the danger, after that confirm, we see one wordpress > plugin confirmed trims whitespaces from uploaded files > > On Sun, Mar 29, 2026 at 3:33 AM cyber security <[email protected]> wrote: > > > > A vulnerability was identified in OWASP CRS where whitespace padding > > in filenames can bypass file upload extension checks, allowing uploads > > of dangerous files such as .php, .phar, .jsp, and .jspx. This issue > > has been assigned CVE‑2026‑33691. > > > > Impact: Attackers may evade CRS protections and upload web shells > > disguised with whitespace‑padded extensions. Exploitation is most > > practical on Windows backends that normalize whitespace in filenames > > before execution, In linux harder because it require a backend that > > use like `.strip()` and `.trim()` and other whitespace trimming > > methods depending on the language here vulnerable to that or the > > webserver strip whitespaces or the backend on general, If not they not > > vulnerable to that. > > > > Fix: Patched in CRS v3.3.9, v4.25.x LTS, and v4.8.x. Security fixes > > are always backported to supported branches. > > > > References: > > > > Full advisory: > > https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w > > > > Credits: Reported by RelunSec (aka @HackingRepo on Github).
