Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2d8p-bbc1-hkfa
Vulnerability ID VCID-2d8p-bbc1-hkfa
Aliases CVE-2025-58098
Summary Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.4
Risk 3.2
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-201 Insertion of Sensitive Information Into Sent Data
System Score Found at
cvssv3 7.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58098.json
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2025-58098
epss 0.00027 https://api.first.org/data/v1/epss?cve=CVE-2025-58098
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2025-58098
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2025-58098
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2025-58098
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2025-58098
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2025-58098
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2025-58098
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2025-58098
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 8.3 https://httpd.apache.org/security/vulnerabilities_24.html
ssvc Track https://httpd.apache.org/security/vulnerabilities_24.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58098.json
https://api.first.org/data/v1/epss?cve=CVE-2025-58098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58098
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1121926 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121926
2419365 https://bugzilla.redhat.com/show_bug.cgi?id=2419365
CVE-2025-58098 https://httpd.apache.org/security/json/CVE-2025-58098.json
RHSA-2025:23732 https://access.redhat.com/errata/RHSA-2025:23732
RHSA-2025:23919 https://access.redhat.com/errata/RHSA-2025:23919
RHSA-2025:23932 https://access.redhat.com/errata/RHSA-2025:23932
RHSA-2026:0009 https://access.redhat.com/errata/RHSA-2026:0009
RHSA-2026:0010 https://access.redhat.com/errata/RHSA-2026:0010
RHSA-2026:0011 https://access.redhat.com/errata/RHSA-2026:0011
RHSA-2026:0012 https://access.redhat.com/errata/RHSA-2026:0012
RHSA-2026:0074 https://access.redhat.com/errata/RHSA-2026:0074
RHSA-2026:0075 https://access.redhat.com/errata/RHSA-2026:0075
RHSA-2026:0090 https://access.redhat.com/errata/RHSA-2026:0090
RHSA-2026:0095 https://access.redhat.com/errata/RHSA-2026:0095
RHSA-2026:0139 https://access.redhat.com/errata/RHSA-2026:0139
RHSA-2026:0141 https://access.redhat.com/errata/RHSA-2026:0141
RHSA-2026:0171 https://access.redhat.com/errata/RHSA-2026:0171
RHSA-2026:2994 https://access.redhat.com/errata/RHSA-2026:2994
RHSA-2026:2995 https://access.redhat.com/errata/RHSA-2026:2995
USN-7968-1 https://usn.ubuntu.com/7968-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58098.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L Found at https://httpd.apache.org/security/vulnerabilities_24.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-22T04:55:46Z/ Found at https://httpd.apache.org/security/vulnerabilities_24.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.07398
EPSS Score 0.00027
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:36:23.805687+00:00 Apache HTTPD Importer Import https://httpd.apache.org/security/json/CVE-2025-58098.json 38.0.0