VYPR
Vendor

Litespeedtech

Products
9
CVEs
37
Across products
45
Status
Private

Products

9

Recent CVEs

37
View all 37 CVEs →
  • CVE-2026-48172CriKEVMay 21, 2026
    risk 0.76cvss 9.8epss 0.19

    LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash.…

  • CVE-2024-44000CriOct 20, 2024
    risk 0.74cvss 9.8epss 0.83

    Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a through < 6.5.0.1.

  • CVE-2024-28000CriAug 21, 2024
    risk 0.74cvss 9.8epss 0.68

    Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache.This issue affects LiteSpeed Cache: from n/a through <= 6.3.0.1.

  • CVE-2026-54420HigKEVJun 14, 2026
    risk 0.67cvss 8.5epss 0.01

    LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

  • CVE-2023-40000HigApr 16, 2024
    risk 0.60cvss 8.3epss 0.55

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.

  • CVE-2021-47903HigJan 23, 2026
    risk 0.57cvss 8.8epss 0.01

    LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code…

  • CVE-2024-50550HigOct 29, 2024
    risk 0.53cvss 8.1epss 0.01

    Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from n/a through <= 6.5.1.

  • CVE-2023-45000HigApr 16, 2024
    risk 0.53cvss 8.2epss 0.00

    Missing Authorization vulnerability in LiteSpeed Technologies LiteSpeed Cache.This issue affects LiteSpeed Cache: from n/a through 5.7.

  • CVE-2024-47637HigOct 16, 2024
    risk 0.50cvss 8.8epss 0.01

    Relative Path Traversal vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Path Traversal.This issue affects LiteSpeed Cache: from n/a through <= 6.4.1.

  • CVE-2015-3890HigSep 20, 2017
    risk 0.49cvss 7.5epss 0.01

    Use-after-free vulnerability in Open Litespeed before 1.3.10.

  • CVE-2026-31386HigMar 16, 2026
    risk 0.47cvss 7.2epss 0.02

    OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.

  • CVE-2021-47855HigJan 21, 2026
    risk 0.47cvss 7.2epss 0.00

    Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an…

  • CVE-2024-47374HigOct 5, 2024
    risk 0.41cvss 7.1epss 0.01

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through <= 6.5.0.2.

  • CVE-2024-47373MedOct 5, 2024
    risk 0.35cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through <= 6.5.0.2.

  • CVE-2023-4372MedJan 11, 2024
    risk 0.35cvss 6.4epss 0.20

    The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'esi' shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated…

  • CVE-2025-12450MedOct 29, 2025
    risk 0.33cvss 6.1epss 0.00

    The LiteSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 7.5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary…

  • CVE-2025-24947MedFeb 20, 2025
    risk 0.27cvss 5.3epss 0.01

    A hash collision vulnerability (in the hash table used to manage connections) in LSQUIC (aka LiteSpeed QUIC) before 4.2.0 allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs…

  • CVE-2010-2333Jun 18, 2010
    risk 0.08cvss epss 0.60

    LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scripts via an HTTP request with a null byte followed by a .txt file extension.

  • CVE-2007-5654Oct 23, 2007
    risk 0.06cvss epss 0.41

    LiteSpeed Web Server before 3.2.4 allows remote attackers to trigger use of an arbitrary MIME type for a file via a "%00." sequence followed by a new extension, as demonstrated by reading PHP source code via requests for .php%00.txt files, aka "Mime Type Injection."

  • CVE-2012-4871Sep 6, 2012
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in service/graph_html.php in the administrator panel in LiteSpeed Web Server 4.1.11 allows remote attackers to inject arbitrary web script or HTML via the gtitle parameter.