CVE-2026-31386

HIGH

OpenLiteSpeed and LSWS Enterprise - Authenticated OS Command Injection

Title source: llm

Description

OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.

References (3)

Core 3

Core References

https://openlitespeed.org/

https://www.litespeedtech.com/products/litespeed-web-server

https://jvn.jp/en/jp/JVN22152812/

Scores

CVSS v3 7.2

EPSS 0.0151

EPSS Percentile 71.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (4)

LiteSpeed Technologies/LSWS Enterprise all versions

LiteSpeed Technologies/OpenLiteSpeed all versions

litespeedtech/litespeed_web_server < 6.3.5

litespeedtech/openlitespeed < 1.9.0

Published Mar 16, 2026

Tracked Since Mar 16, 2026