Openlitespeed
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-3890 | Hig | 0.49 | 7.5 | 0.01 | Sep 20, 2017 | Use-after-free vulnerability in Open Litespeed before 1.3.10. | ||
| CVE-2026-31386 | Hig | 0.47 | 7.2 | 0.02 | Mar 16, 2026 | OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege. | ||
| CVE-2021-47855 | Hig | 0.47 | 7.2 | 0.00 | Jan 21, 2026 | Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an… | ||
| CVE-2024-31617 | 0.00 | — | 0.00 | May 22, 2024 | OpenLiteSpeed before 1.8.1 mishandles chunked encoding. | |||
| CVE-2023-40518 | 0.00 | — | 0.01 | Aug 14, 2023 | LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers. | |||
| CVE-2022-0074 | 0.00 | — | 0.01 | Oct 27, 2022 | Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. This affects versions from 1.6.15 before 1.7.16.1. | |||
| CVE-2022-0073 | 0.00 | — | 0.09 | Oct 27, 2022 | Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects 1.7.0 versions before 1.7.16.1. | |||
| CVE-2022-0072 | 0.00 | — | 0.01 | Oct 27, 2022 | Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1 | |||
| CVE-2021-26758 | 0.00 | — | 0.03 | Apr 7, 2021 | Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system. | |||
| CVE-2020-5519 | 0.00 | — | 0.01 | Jan 6, 2020 | The WebAdmin Console in OpenLiteSpeed before v1.6.5 does not strictly check request URLs, as demonstrated by the "Server Configuration > External App" screen. | |||
| CVE-2018-19791 | 0.00 | — | 0.01 | Dec 3, 2018 | The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 does not correctly handle requests for byte sequences, allowing an attacker to amplify the response size by requesting the entire response body repeatedly, as demonstrated by an HTTP Range header value beginning with the… | |||
| CVE-2018-19792 | 0.00 | — | 0.00 | Dec 3, 2018 | The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 allows local users to cause a denial of service (buffer overflow) or possibly have unspecified other impact by creating a symlink through which the openlitespeed program can be invoked with a long command name (involving ../… |
- risk 0.49cvss 7.5epss 0.01
Use-after-free vulnerability in Open Litespeed before 1.3.10.
- risk 0.47cvss 7.2epss 0.02
OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.
- risk 0.47cvss 7.2epss 0.00
Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an…
- CVE-2024-31617May 22, 2024risk 0.00cvss —epss 0.00
OpenLiteSpeed before 1.8.1 mishandles chunked encoding.
- CVE-2023-40518Aug 14, 2023risk 0.00cvss —epss 0.01
LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers.
- CVE-2022-0074Oct 27, 2022risk 0.00cvss —epss 0.01
Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. This affects versions from 1.6.15 before 1.7.16.1.
- CVE-2022-0073Oct 27, 2022risk 0.00cvss —epss 0.09
Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects 1.7.0 versions before 1.7.16.1.
- CVE-2022-0072Oct 27, 2022risk 0.00cvss —epss 0.01
Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1
- CVE-2021-26758Apr 7, 2021risk 0.00cvss —epss 0.03
Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system.
- CVE-2020-5519Jan 6, 2020risk 0.00cvss —epss 0.01
The WebAdmin Console in OpenLiteSpeed before v1.6.5 does not strictly check request URLs, as demonstrated by the "Server Configuration > External App" screen.
- CVE-2018-19791Dec 3, 2018risk 0.00cvss —epss 0.01
The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 does not correctly handle requests for byte sequences, allowing an attacker to amplify the response size by requesting the entire response body repeatedly, as demonstrated by an HTTP Range header value beginning with the…
- CVE-2018-19792Dec 3, 2018risk 0.00cvss —epss 0.00
The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 allows local users to cause a denial of service (buffer overflow) or possibly have unspecified other impact by creating a symlink through which the openlitespeed program can be invoked with a long command name (involving ../…