Apache HTTP Server has a newly disclosed vulnerability tracked as CVE-2025-58098 that causes the Server Side Includes (SSI) processor to pass a shell-escaped query string into the output of <!--#exec cmd="…"--> directives when mod_cgid (but not mod_cgi) is enabled — a bug fixed in the 2.4.66...
