VYPR

Vendor CVEs

Litespeedtech

All CVEs

37 total · sorted by risk
  • CVE-2026-48172CriKEVMay 21, 2026
    risk 0.76cvss 9.8epss 0.19

    LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash.…

  • CVE-2024-44000CriOct 20, 2024
    risk 0.74cvss 9.8epss 0.83

    Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a through < 6.5.0.1.

  • CVE-2024-28000CriAug 21, 2024
    risk 0.74cvss 9.8epss 0.68

    Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache.This issue affects LiteSpeed Cache: from n/a through <= 6.3.0.1.

  • CVE-2026-54420HigKEVJun 14, 2026
    risk 0.67cvss 8.5epss 0.01

    LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026.

  • CVE-2023-40000HigApr 16, 2024
    risk 0.60cvss 8.3epss 0.55

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.

  • CVE-2021-47903HigJan 23, 2026
    risk 0.57cvss 8.8epss 0.01

    LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code…

  • CVE-2024-50550HigOct 29, 2024
    risk 0.53cvss 8.1epss 0.01

    Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from n/a through <= 6.5.1.

  • CVE-2023-45000HigApr 16, 2024
    risk 0.53cvss 8.2epss 0.00

    Missing Authorization vulnerability in LiteSpeed Technologies LiteSpeed Cache.This issue affects LiteSpeed Cache: from n/a through 5.7.

  • CVE-2024-47637HigOct 16, 2024
    risk 0.50cvss 8.8epss 0.01

    Relative Path Traversal vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Path Traversal.This issue affects LiteSpeed Cache: from n/a through <= 6.4.1.

  • CVE-2015-3890HigSep 20, 2017
    risk 0.49cvss 7.5epss 0.01

    Use-after-free vulnerability in Open Litespeed before 1.3.10.

  • CVE-2026-31386HigMar 16, 2026
    risk 0.47cvss 7.2epss 0.02

    OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.

  • CVE-2021-47855HigJan 21, 2026
    risk 0.47cvss 7.2epss 0.00

    Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an…

  • CVE-2024-47374HigOct 5, 2024
    risk 0.41cvss 7.1epss 0.01

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through <= 6.5.0.2.

  • CVE-2024-47373MedOct 5, 2024
    risk 0.35cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through <= 6.5.0.2.

  • CVE-2023-4372MedJan 11, 2024
    risk 0.35cvss 6.4epss 0.20

    The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'esi' shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated…

  • CVE-2025-12450MedOct 29, 2025
    risk 0.33cvss 6.1epss 0.00

    The LiteSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 7.5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary…

  • CVE-2025-24947MedFeb 20, 2025
    risk 0.27cvss 5.3epss 0.01

    A hash collision vulnerability (in the hash table used to manage connections) in LSQUIC (aka LiteSpeed QUIC) before 4.2.0 allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs…

  • CVE-2010-2333Jun 18, 2010
    risk 0.08cvss epss 0.60

    LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scripts via an HTTP request with a null byte followed by a .txt file extension.

  • CVE-2007-5654Oct 23, 2007
    risk 0.06cvss epss 0.41

    LiteSpeed Web Server before 3.2.4 allows remote attackers to trigger use of an arbitrary MIME type for a file via a "%00." sequence followed by a new extension, as demonstrated by reading PHP source code via requests for .php%00.txt files, aka "Mime Type Injection."

  • CVE-2012-4871Sep 6, 2012
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in service/graph_html.php in the administrator panel in LiteSpeed Web Server 4.1.11 allows remote attackers to inject arbitrary web script or HTML via the gtitle parameter.

  • CVE-2005-3695Nov 20, 2005
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin/config/confMgr.php in LiteSpeed Web Server 2.1.5 allows remote attackers to inject arbitrary web script or HTML via the m parameter.

  • CVE-2004-0112Nov 23, 2004
    risk 0.01cvss epss 0.10

    The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake…

  • CVE-2025-54939Aug 1, 2025
    risk 0.00cvss epss 0.01

    LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak.

  • CVE-2024-9169Sep 25, 2024
    risk 0.00cvss epss 0.00

    The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all versions up to, and including, 6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2024-3246Jul 24, 2024
    risk 0.00cvss epss 0.00

    The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject…

  • CVE-2024-31617May 22, 2024
    risk 0.00cvss epss 0.00

    OpenLiteSpeed before 1.8.1 mishandles chunked encoding.

  • CVE-2024-25678Feb 9, 2024
    risk 0.00cvss epss 0.00

    In LiteSpeed QUIC (LSQUIC) Library before 4.0.4, DCID validation is mishandled.

  • CVE-2023-40518Aug 14, 2023
    risk 0.00cvss epss 0.01

    LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers.

  • CVE-2022-46800May 25, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in LiteSpeed Technologies LiteSpeed Cache plugin <= 5.3 versions.

  • CVE-2022-0074Oct 27, 2022
    risk 0.00cvss epss 0.01

    Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. This affects versions from 1.6.15 before 1.7.16.1.

  • CVE-2022-0073Oct 27, 2022
    risk 0.00cvss epss 0.09

    Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects 1.7.0 versions before 1.7.16.1.

  • CVE-2022-0072Oct 27, 2022
    risk 0.00cvss epss 0.01

    Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1

  • CVE-2022-30592May 11, 2022
    risk 0.00cvss epss 0.03

    liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.

  • CVE-2021-26758Apr 7, 2021
    risk 0.00cvss epss 0.03

    Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system.

  • CVE-2020-5519Jan 6, 2020
    risk 0.00cvss epss 0.01

    The WebAdmin Console in OpenLiteSpeed before v1.6.5 does not strictly check request URLs, as demonstrated by the "Server Configuration > External App" screen.

  • CVE-2018-19791Dec 3, 2018
    risk 0.00cvss epss 0.01

    The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 does not correctly handle requests for byte sequences, allowing an attacker to amplify the response size by requesting the entire response body repeatedly, as demonstrated by an HTTP Range header value beginning with the…

  • CVE-2018-19792Dec 3, 2018
    risk 0.00cvss epss 0.00

    The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 allows local users to cause a denial of service (buffer overflow) or possibly have unspecified other impact by creating a symlink through which the openlitespeed program can be invoked with a long command name (involving ../…