What is CVE-2026-33691?

CVE-2026-33691 is a medium-severity vulnerability in Coreruleset, classified under Improper Handling of Case Sensitivity. CVSS score: 6.8/10. Published 2026-04-02.

How severe is CVE-2026-33691?

Medium severity. CVSS v3 base score is 6.8 out of 10.

Vulnerability in Coreruleset

CVE-2026-33691

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous…

EPSS: 0.000 (9.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N.

Affected products

Coreruleset — versions < 3.3.9, >= 4.0.0-rc1, < 4.25.0

Weakness classification (CWE)

CWE-178 — Improper Handling of Case Sensitivity

References

https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w (x_refsource_CONFIRM)
https://github.com/coreruleset/coreruleset/pull/4546 (x_refsource_MISC)
https://github.com/coreruleset/coreruleset/pull/4547 (x_refsource_MISC)
https://github.com/coreruleset/coreruleset/pull/4548 (x_refsource_MISC)
https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02 (x_refsource_MISC)
https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9 (x_refsource_MISC)
https://github.com/coreruleset/coreruleset/releases/tag/v4.25.0 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33691?: CVE-2026-33691 is a medium-severity vulnerability in Coreruleset, classified under Improper Handling of Case Sensitivity. CVSS score: 6.8/10. Published 2026-04-02.
How severe is CVE-2026-33691?: Medium severity. CVSS v3 base score is 6.8 out of 10.