VariantDraft

CWE-97Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

Category: other

Description

The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.

Common consequences· 1

  • Confidentiality / Integrity / Availability — Execute Unauthorized Code or Commands

Related CAPEC attack patterns· 2

CAPEC-101CAPEC-35

References

  1. https://cwe.mitre.org/data/definitions/97.html

Exploits (incoming)2

TypeTargetConfidenceTier
AttackPatternServer Side Include (SSI) Injectioncapec-101100%live
AttackPatternLeverage Executable Code in Non-Executable Filescapec-35100%live

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2025-35996cve-2025-359960%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE
Improper Neutralization of Special Elements Used in a Template Engine
CWE
Improper Neutralization of Alternate XSS Syntax
CWE
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE
Improper Neutralization of Script in an Error Message Web Page
CWE
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.