Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
Conclusion & alert: CVE-2008-0455 is rated High Exploit Risk (67.1/100): CVSS Medium severity, with high exploitation likelihood (EPSS 52.58%, 98th percentile). Core evidence: 5 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| 31052 | exploit_db | edb | 2008-01-22 | Exploit-DB ↗ |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-02 | 51.97% | 52.58% | +0.61% |
| 2 | 2026-03-04 | 47.80% | 51.97% | +4.17% |
| 3 | 2026-03-01 | — | 47.80% | — |
Full EPSS history (50 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2008-0455 unimportant priority: Debian including 1 source packages (apache2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2008-0455 |
gentoo
|
normal | CVE-2008-0455: 1 GLSA(s) (200803-19), 1 atom(s) (www-servers/apache); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2008-0455 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2008-0455 |
ubuntu
|
low | CVE-2008-0455 low priority: Ubuntu including 2 source packages (apache, apache2), 14 status rows across 7 suites (dapper, edgy, feisty, gutsy, hardy, intrepid, upstream): ignored 7, not-affected 4, DNE 3. | https://ubuntu.com/security/CVE-2008-0455 |
We do not consider this issue to be security sensitive. Untrusted users should not be permitted to upload files to the directories from where they can be directly served by the web server without prior careful sanitation of both contents and filename.
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | http_server | >= 2.2.0, < 2.2.23 | cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* |
| apache | http_server | >= 2.4.1, < 2.4.3 | cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* |
| redhat | enterprise_linux_desktop | 5.0 | cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux_server | 5.0 | cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux_workstation | 5.0 | cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:* |
| redhat | jboss_enterprise_application_platform | 6.0.0 | cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:* |
| redhat | jboss_enterprise_application_platform | 6.4.0 | cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:* |