Refine your search
2 vulnerabilities found for LSWS Enterprise by LiteSpeed Technologies
jvndb-2026-000037
Vulnerability from jvndb
Published
2026-03-16 17:18
Modified
2026-03-16 17:18
Severity ?
Summary
OpenLiteSpeed and LSWS Enterprise vulnerable to OS command injection
Details
OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain the following vulnerability.<a href='https://cwe.mitre.org/data/definitions/78.html' target='_blank'></a><ul><li>OS command injection (CWE-78) - CVE-2026-31386</li></ul>Daisuke Nakayama of Mizuho Financial Group, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000037.html",
"dc:date": "2026-03-16T17:18+09:00",
"dcterms:issued": "2026-03-16T17:18+09:00",
"dcterms:modified": "2026-03-16T17:18+09:00",
"description": "OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain the following vulnerability.\u003ca href=\u0027https://cwe.mitre.org/data/definitions/78.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003cul\u003e\u003cli\u003eOS command injection (CWE-78) - CVE-2026-31386\u003c/li\u003e\u003c/ul\u003eDaisuke Nakayama of Mizuho Financial Group, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000037.html",
"sec:cpe": [
{
"#text": "cpe:/a:litespeedtech:lsws_enterprise",
"@product": "LSWS Enterprise",
"@vendor": "LiteSpeed Technologies",
"@version": "2.2"
},
{
"#text": "cpe:/a:litespeedtech:open_litespeed",
"@product": "OpenLiteSpeed",
"@vendor": "LiteSpeed Technologies",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "7.2",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2026-000037",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN22152812/index.html",
"@id": "JVN#22152812",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-31386",
"@id": "CVE-2026-31386",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
}
],
"title": "OpenLiteSpeed and LSWS Enterprise vulnerable to OS command injection"
}
CVE-2026-31386 (GCVE-0-2026-31386)
Vulnerability from cvelistv5
Published
2026-03-16 05:21
Modified
2026-03-16 15:29
Severity ?
7.2 (High) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Summary
OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| LiteSpeed Technologies | OpenLiteSpeed |
Version: all versions |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T15:28:55.405089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:29:03.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenLiteSpeed",
"vendor": "LiteSpeed Technologies",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"product": "LSWS Enterprise",
"vendor": "LiteSpeed Technologies",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T05:21:13.948Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://openlitespeed.org/"
},
{
"url": "https://www.litespeedtech.com/products/litespeed-web-server"
},
{
"url": "https://jvn.jp/en/jp/JVN22152812/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-31386",
"datePublished": "2026-03-16T05:21:13.948Z",
"dateReserved": "2026-03-09T09:07:18.132Z",
"dateUpdated": "2026-03-16T15:29:03.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}