HCE2-SA-2026-0018 Important HCE 2.0 Security Fix(es): mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. (CVE-2025-66200) Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. (CVE-2025-58098) Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue. (CVE-2025-65082) HCE 2.0 httpd-2.4.51-5.r32.hce2.x86_64.rpm httpd-devel-2.4.51-5.r32.hce2.x86_64.rpm httpd-filesystem-2.4.51-5.r32.hce2.noarch.rpm httpd-help-2.4.51-5.r32.hce2.noarch.rpm httpd-tools-2.4.51-5.r32.hce2.x86_64.rpm mod_ldap-2.4.51-5.r32.hce2.x86_64.rpm mod_md-2.4.51-5.r32.hce2.x86_64.rpm mod_proxy_html-2.4.51-5.r32.hce2.x86_64.rpm mod_session-2.4.51-5.r32.hce2.x86_64.rpm mod_ssl-2.4.51-5.r32.hce2.x86_64.rpm httpd-2.4.51-5.r32.hce2.aarch64.rpm httpd-devel-2.4.51-5.r32.hce2.aarch64.rpm httpd-tools-2.4.51-5.r32.hce2.aarch64.rpm mod_ldap-2.4.51-5.r32.hce2.aarch64.rpm mod_md-2.4.51-5.r32.hce2.aarch64.rpm mod_proxy_html-2.4.51-5.r32.hce2.aarch64.rpm mod_session-2.4.51-5.r32.hce2.aarch64.rpm mod_ssl-2.4.51-5.r32.hce2.aarch64.rpm