VYPR

CWE-97

Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

VariantDraft

Description

The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-101 · CAPEC-35

CVEs mapped to this weakness (4)

  • CVE-2025-35996CriMay 1, 2025
    risk 0.59cvss 9.0epss 0.11

    KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape…

  • CVE-2024-56363HigDec 23, 2024
    risk 0.44cvss 7.8epss 0.00

    APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. In 1.0, there is a vulnerability in the web application's handling of user-supplied input that is…

  • CVE-2025-36558MedMay 1, 2025
    risk 0.40cvss 6.1epss 0.13

    KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to the user and be executed.

  • CVE-2024-29686Mar 29, 2024
    risk 0.00cvss epss 0.02

    Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted…