CVE-2025-58098

HIGH

Apache HTTP Server <2.4.66 - Command Injection

Title source: llm

Description

Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Exploits (1)

nomisec WRITEUP 1 stars

by dhmosfunk · poc

https://github.com/dhmosfunk/CVE-2025-58098

View Code ZIP pw:eip

References (2)

[Mailing List, Vendor Advisory] https://httpd.apache.org/security/vulnerabilities_24.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/12/04/5

Scores

CVSS v3 8.3

EPSS 0.0003

EPSS Percentile 7.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Classification

CWE

CWE-201

Status published

Affected Products (1)

apache/http_server < 2.4.66

Timeline

Published Dec 05, 2025

Tracked Since Feb 18, 2026