Also you can use CVE-2026-33691, to disable security headers while bypassing CRS
More info at https://unlockoldupload.hashnode.dev/turn-off-security-headers-using-cve-2026-33691 On Sat, Apr 18, 2026 at 3:00 AM cyber security <[email protected]> wrote: > > After deep analysis we confirm, that CVE-2026-33691 aka it alias > UnlockOldUpload, can even disable ModSecurity WAF > > More info at > https://unlockoldupload.hashnode.dev/disable-modsecurity-waf-using-cve-2026-33691. > > On Thu, Apr 16, 2026 at 3:37 PM cyber security <[email protected]> wrote: > > > > Deep analysis by US confirm, that using CVE-2026-33691, in any > > platform wheter windows or linux or mac, you can bypass unpatched CRS > > and use CVE-2015-10138 > > > > as confirmed, as we see in that line > > > > ``` > > 1 // Lines 493-498 of public/includes/UploadHandler.php > > 2 protected function trim_file_name($name, $type = null, $index = > > null, $content_range = null) { > > 3 // Remove path information and dots around the filename... > > 4 // Also remove control characters and spaces (\x00..\x20) > > around the filename: > > 5 $name = trim(basename(stripslashes($name)), ".\x00..\x20"); > > 6 // ... > > 7 } > > ``` > > > > It unlocks the old CVE-2015-10138 and an attacker get RCE if WAFs are > > not patched, that unlocks the old vuln power against a modern WAF, > > most peoples rely only on the WAF alone and `Work The Flow File > > Upload` plugin is never patched and even run **EOL** that is very > > common, That is the danger, after that confirm, we see one wordpress > > plugin confirmed trims whitespaces from uploaded files > > > > On Sun, Mar 29, 2026 at 3:33 AM cyber security <[email protected]> wrote: > > > > > > A vulnerability was identified in OWASP CRS where whitespace padding > > > in filenames can bypass file upload extension checks, allowing uploads > > > of dangerous files such as .php, .phar, .jsp, and .jspx. This issue > > > has been assigned CVE‑2026‑33691. > > > > > > Impact: Attackers may evade CRS protections and upload web shells > > > disguised with whitespace‑padded extensions. Exploitation is most > > > practical on Windows backends that normalize whitespace in filenames > > > before execution, In linux harder because it require a backend that > > > use like `.strip()` and `.trim()` and other whitespace trimming > > > methods depending on the language here vulnerable to that or the > > > webserver strip whitespaces or the backend on general, If not they not > > > vulnerable to that. > > > > > > Fix: Patched in CRS v3.3.9, v4.25.x LTS, and v4.8.x. Security fixes > > > are always backported to supported branches. > > > > > > References: > > > > > > Full advisory: > > > https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w > > > > > > Credits: Reported by RelunSec (aka @HackingRepo on Github).
