CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.
Last updated
Overview
CWE-97 (Improper Neutralization of Server-Side Includes (SSI) Within a Web Page) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
6 recorded CVEs are caused by CWE-97 (Improper Neutralization of Server-Side Includes (SSI) Within a Web Page). The highest-severity and most recent are shown first. 0 new CWE-97 CVEs have been recorded so far in 2026 (4 in 2025).
- CVE-2023-53934
Kentico Xperience <= 12.0.98 GetResource Handler Denial of Service
High · CVSS 8.7 · EPSS 28th2025-12-18 - CVE-2025-35996
KUNBUS Revolution Pi Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
High · CVSS 8.5 · EPSS 96th2025-05-01 - CVE-2025-21103High · CVSS 7.8 · EPSS 12th2025-02-17