Question Security FIX CVE-2026-33691 OWASP < 4.25.0 (LTS)

[Franchino]

Server operating system version

Almalinux 9.7

Plesk version and microupdate number

Plesk 18.0.76 #4

Hi,

OWASP 4.25.0 LTS Released (Security Fix)

Release v4.25.0 (LTS) · coreruleset/coreruleset

What's Changed Important ⭐ These below fix CVE-2026-33691: fix(933111): prevent whitespace padding bypass in PHP double-extension upload by @fzipi in #4547 fix(933110): prevent whitespace padding ...

github.com

Affected versions​

< 4.25.0

< 3.3.9

Patched versions​

4.25.0

3.3.9

Whitespace padding in filenames bypasses file upload extension checks

## Impact A bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php ...

github.com

CVE-2026-33691

Debian Linux - modsecurity-crs - None

www.tenable.com

Looking at the change log for plesk 18.0.77 I see

Updated the OWASP ModSecurity CRS version to 4.24.1.

shouldn't we just update directly to 4.25.0 LTS?

Thanks

Franco

 

[Sebahat.hadzhi]

Hi, Franco. We do have a registered task (PPP-71264) and our team is currently working on updating the component version to version 4.25.0. I cannot provide an ETA at the moment, but it will most likely be released with the upcoming release.