Updated: 2026-01-08 03:29:11.620107
Description:
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | NONE | 0.0 |
| CVSS Version 3.x | HIGH | 7.1 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | httpd | 2.4.53 | 7.1 | HIGH | Released | CLSA-2025:1767004508 | 2025-12-29 17:05:12 | |
| CentOS 7 ELS | httpd | 2.4.6 | 7.1 | HIGH | In Rollout | CLSA-2026:1767970357 | 2026-01-09 20:15:43 | |
| CentOS 8.4 ELS | httpd | 2.4.37 | 7.1 | HIGH | Released | CLSA-2026:1767613214 | 2026-01-05 20:08:11 | |
| CentOS 8.5 ELS | httpd | 2.4.37 | 7.1 | HIGH | Released | CLSA-2026:1767609927 | 2026-01-05 20:08:13 | |
| CentOS Stream 8 ELS | httpd | 2.4.37 | 7.1 | HIGH | Released | CLSA-2026:1767800942 | 2026-01-07 20:15:13 | |
| CloudLinux 7 ELS | httpd | 2.4.6 | 7.1 | HIGH | In Testing | 2026-01-07 01:00:27 | ||
| Oracle Linux 7 ELS | httpd | 2.4.6 | 7.1 | HIGH | Released | CLSA-2026:1767949942 | 2026-01-09 11:13:09 | |
| RHEL 7 ELS | httpd | 2.4.6 | 7.1 | HIGH | Released | CLSA-2026:1767950193 | 2026-01-09 11:13:07 | |
| TuxCare 9.6 ESU | httpd | 2.4.62 | 7.1 | HIGH | Released | CLSA-2025:1767027096 | 2025-12-29 17:05:09 |