Severity: low Affected versions:
- Apache HTTP Server before 2.4.66 Description: Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. Credit: Anthony Parfenov (United Rentals, Inc.) (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2025-58098 Timeline: 2025-08-21: Reported to security team 2025-12-01: fixed in 2.4.x by r1930165
