> Vulnerabilities always seem to be related to CGI scripts somehow.
To the contrary, CGIs, running separate per-request processes, are one of the few mainstream mechanisms to create per-request isolates transparent to the host's security infrastructure and process monitoring. You have to go to great lengths to achieve similar isolation if you're starting with eg. FCGI-like multithreaded or evented dispatch in a single process [1].
Perhaps you've get that impression because of the wild west shared hosting scene (made possible by CGIs and isolation in the first place) eg. popular PHP-based packages WordPress, Drupal, Joomla, etc. Then I'm with you - the security record of these plugin monstrosities is truly in a league of it's own. Just so we're on the same page, the most recent WP wtf involves theme developers DDOSing their competitors (who are reselling their themes) via your site.
To the contrary, CGIs, running separate per-request processes, are one of the few mainstream mechanisms to create per-request isolates transparent to the host's security infrastructure and process monitoring. You have to go to great lengths to achieve similar isolation if you're starting with eg. FCGI-like multithreaded or evented dispatch in a single process [1].
Perhaps you've get that impression because of the wild west shared hosting scene (made possible by CGIs and isolation in the first place) eg. popular PHP-based packages WordPress, Drupal, Joomla, etc. Then I'm with you - the security record of these plugin monstrosities is truly in a league of it's own. Just so we're on the same page, the most recent WP wtf involves theme developers DDOSing their competitors (who are reselling their themes) via your site.
[1]: https://github.com/google/sandboxed-api
[2]: https://www.jemjabella.co.uk/2019/security-alert-pipdig-inse...