CVE-2021-26758

HIGH

OpenLiteSpeed 1.7.8 - Privilege Escalation to Root via Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-26758. PoCs published by Metin Yunus Kandemir.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in OpenLiteSpeed 1.7.8 via the 'path' parameter in the extApp configuration, allowing authenticated attackers to execute arbitrary commands and escalate privileges by joining privileged groups like 'shadow'.

Description

Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Metin Yunus Kandemir · pythonwebappsmultiple
https://www.exploit-db.com/exploits/49556

This exploit leverages a command injection vulnerability in OpenLiteSpeed 1.7.8 via the 'path' parameter in the extApp configuration, allowing authenticated attackers to execute arbitrary commands and escalate privileges by joining privileged groups like 'shadow'.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenLiteSpeed 1.7.8
Auth required
Prerequisites: Valid credentials for the OpenLiteSpeed admin panel · Network access to the target's admin interface (default port 7080)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/litespeedtech/openlitespeed/issues/217
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/49556

Scores

CVSS v3 8.8
EPSS 0.0271
EPSS Percentile 84.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-269
Status published
Products (1)
litespeedtech/openlitespeed 1.7.8
Published Apr 07, 2021
Tracked Since Feb 18, 2026