CVE-2025-58098

HIGH 8.3

Apache HTTP Server: Server Side Includes adds query string to #exec cmd=...

CVSS Score

8.3

EPSS Score

0.0%

EPSS Percentile

0th

Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

CWE	CWE-201
Vendor	apache software foundation
Product	apache http server
Published	Dec 5, 2025
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache http server

Be the first to know when new high vulnerabilities affecting apache software foundation apache http server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache HTTP Server

0 < 2.4.66

References

NVD ↗ CVE.org ↗ EPSS Data ↗

httpd.apache.org: https://httpd.apache.org/security/vulnerabilities_24.html openwall.com: http://www.openwall.com/lists/oss-security/2025/12/04/5

Credits

Anthony Parfenov (United Rentals, Inc.)