- Description
- Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- http_server
CVSS 3.1
- Type
- Secondary
- Base score
- 8.3
- Impact score
- 5.5
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
- Severity
- HIGH
- security@apache.org
- CWE-201
- Hype score
- Not currently trending
Apache HTTP Server CVE-2025-58098 proof of concept. #exec cmd=... directive argument injection https://t.co/ez4drGVR5R
@ninjakiii
12 Jan 2026
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Vulnerabilidad en productos Apache ❗ CVE-2025-58098 ➡️ Más info: https://t.co/dHQzPEKFoP https://t.co/4xoiclhx4A
@CERTpy
8 Jan 2026
149 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New #Fedora security advisory dropped: FEDORA-2025-f7c75ffee2 for httpd. It's CVE-2025-58098, a classic but dangerous directory traversal bug. Read more: 👉 https://t.co/wUBZOe8oPa #Security https://t.co/a68NTuUXpC
@Cezar_H_Linux
25 Dec 2025
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache HTTP Server CVE-2025-55753: mod_md (ACME), unintended retry intervals https://t.co/AdZUnjd4K9 CVE-2025-58098: Server Side Includes adds query string to #exec cmd=... https://t.co/77ushB6TZv CVE-2025-59775: NTLM Leakage on Windows through UNC SSRF https://t.co/1mTjz35NfJ
@oss_security
4 Dec 2025
364 Impressions
1 Retweet
2 Likes
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3D22F90-E531-4EC1-B581-FF5068BC3A58",
"versionEndExcluding": "2.4.66",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]