OWASP CRS recently disclosed CVE-2026-33691 , affecting versions below 4.25.0 and 3.3.9. This vulnerability does not affect OpenPanel servers at all as its only exploitable on Windows servers. Still, of you installed OpenPanel a while back and haven't updated your WAF rules since, a single command is all you need: opencli waf update if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } That said, this is a good opportunity to observe how quickly other control panels respond to the same disclosure. Panels built on legacy codebases often require significantly more time to patch, test, and ship rule updates to their users - if they do so at all. We'll be watching. 👀

CVE-2026-33691 (OWASP CRS) – Not exploitable on OpenPanel

MixDelo

OWASP CRS recently disclosed CVE-2026-33691, affecting versions below 4.25.0 and 3.3.9.

This vulnerability does not affect OpenPanel servers at all as its only exploitable on Windows servers.

Still, of you installed OpenPanel a while back and haven't updated your WAF rules since, a single command is all you need:

opencli waf update

That said, this is a good opportunity to observe how quickly other control panels respond to the same disclosure. Panels built on legacy codebases often require significantly more time to patch, test, and ship rule updates to their users - if they do so at all.

We'll be watching. 👀

relunsec

No, i'm fraid, i need correct that, @MixDelo, CVE-2026-33691 work on windows yes regardless of the code, because the NTFS file system ignore whitespaces, but in linux and other OSes also if an app use .strip() or .trim() or .stripWhitespace() or any trimming whitespace method, in fact most devs trim whitespaces and remove \x00 from the uploaded file do that for prevent confusion uploaded files