Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for litespeed_web_server by litespeedtech
CVE-2026-31386 (GCVE-0-2026-31386)
Vulnerability from nvd – Published: 2026-03-16 05:21 – Updated: 2026-03-16 15:29
VLAI
Summary
OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LiteSpeed Technologies | OpenLiteSpeed |
Affected:
all versions
|
|
| LiteSpeed Technologies | LSWS Enterprise |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T15:28:55.405089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:29:03.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenLiteSpeed",
"vendor": "LiteSpeed Technologies",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"product": "LSWS Enterprise",
"vendor": "LiteSpeed Technologies",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T05:21:13.948Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://openlitespeed.org/"
},
{
"url": "https://www.litespeedtech.com/products/litespeed-web-server"
},
{
"url": "https://jvn.jp/en/jp/JVN22152812/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-31386",
"datePublished": "2026-03-16T05:21:13.948Z",
"dateReserved": "2026-03-09T09:07:18.132Z",
"dateUpdated": "2026-03-16T15:29:03.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54939 (GCVE-0-2025-54939)
Vulnerability from nvd – Published: 2025-08-01 00:00 – Updated: 2025-08-20 19:55
VLAI
Summary
LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| litespeedtech | LSQUIC |
Affected:
0 , < 4.3.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-01T17:49:17.600012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T17:49:41.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LSQUIC",
"vendor": "litespeedtech",
"versions": [
{
"lessThan": "4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:litespeedtech:lsquic:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T19:55:50.645Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/litespeedtech/lsquic/blob/70486141724f85e97b08f510673e29f399bbae8f/CHANGELOG#L1-L3"
},
{
"url": "https://github.com/litespeedtech/lsquic/commit/4cd9252e77fb4a36b572e2167a84067d603d3b23"
},
{
"url": "https://www.imperva.com/blog/quic-leak-cve-2025-54939-new-high-risk-pre-handshake-remote-denial-of-service-in-lsquic-quic-implementation/"
},
{
"url": "https://blog.litespeedtech.com/2025/08/18/litespeed-security-update/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-54939",
"datePublished": "2025-08-01T00:00:00.000Z",
"dateReserved": "2025-08-01T00:00:00.000Z",
"dateUpdated": "2025-08-20T19:55:50.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4871 (GCVE-0-2012-4871)
Vulnerability from nvd – Published: 2012-09-06 21:00 – Updated: 2024-08-06 20:50
VLAI
Summary
Cross-site scripting (XSS) vulnerability in service/graph_html.php in the administrator panel in LiteSpeed Web Server 4.1.11 allows remote attackers to inject arbitrary web script or HTML via the gtitle parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://packetstormsecurity.org/files/110974/LiteS… | x_refsource_MISC |
| http://secunia.com/advisories/48400 | third-party-advisoryx_refsource_SECUNIA |
| http://k1p0d.com/?p=25 | x_refsource_MISC |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
Date Public
2012-03-18 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:50:17.505Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/110974/LiteSpeed-4.1.11-Cross-Site-Scripting.html"
},
{
"name": "48400",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48400"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://k1p0d.com/?p=25"
},
{
"name": "litespeed-graphhtml-xss(74144)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74144"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-03-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in service/graph_html.php in the administrator panel in LiteSpeed Web Server 4.1.11 allows remote attackers to inject arbitrary web script or HTML via the gtitle parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/110974/LiteSpeed-4.1.11-Cross-Site-Scripting.html"
},
{
"name": "48400",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48400"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://k1p0d.com/?p=25"
},
{
"name": "litespeed-graphhtml-xss(74144)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74144"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-4871",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in service/graph_html.php in the administrator panel in LiteSpeed Web Server 4.1.11 allows remote attackers to inject arbitrary web script or HTML via the gtitle parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.org/files/110974/LiteSpeed-4.1.11-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/110974/LiteSpeed-4.1.11-Cross-Site-Scripting.html"
},
{
"name": "48400",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48400"
},
{
"name": "http://k1p0d.com/?p=25",
"refsource": "MISC",
"url": "http://k1p0d.com/?p=25"
},
{
"name": "litespeed-graphhtml-xss(74144)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74144"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-4871",
"datePublished": "2012-09-06T21:00:00.000Z",
"dateReserved": "2012-09-06T00:00:00.000Z",
"dateUpdated": "2024-08-06T20:50:17.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-2333 (GCVE-0-2010-2333)
Vulnerability from nvd – Published: 2010-06-18 20:00 – Updated: 2024-08-07 02:32
VLAI
Summary
LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scripts via an HTTP request with a null byte followed by a .txt file extension.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
7 references
| URL | Tags |
|---|---|
| http://www.exploit-db.com/exploits/13850 | exploitx_refsource_EXPLOIT-DB |
| http://www.litespeedtech.com/latest/litespeed-web… | x_refsource_CONFIRM |
| http://osvdb.org/65476 | vdb-entryx_refsource_OSVDB |
| http://secunia.com/advisories/40128 | third-party-advisoryx_refsource_SECUNIA |
| http://www.litespeedtech.com/support/forum/showth… | x_refsource_MISC |
| http://seclists.org/fulldisclosure/2010/Jun/288 | mailing-listx_refsource_FULLDISC |
| http://www.securityfocus.com/bid/40815 | vdb-entryx_refsource_BID |
Date Public
2010-06-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T02:32:16.249Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "13850",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/13850"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.litespeedtech.com/latest/litespeed-web-server-4.0.15-released.html"
},
{
"name": "65476",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/65476"
},
{
"name": "40128",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/40128"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.litespeedtech.com/support/forum/showthread.php?t=4078"
},
{
"name": "20100613 Litespeed Technologies Web Server Remote Poison null byte Zero-Day",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2010/Jun/288"
},
{
"name": "40815",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/40815"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scripts via an HTTP request with a null byte followed by a .txt file extension."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-07-13T09:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "13850",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/13850"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.litespeedtech.com/latest/litespeed-web-server-4.0.15-released.html"
},
{
"name": "65476",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/65476"
},
{
"name": "40128",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/40128"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.litespeedtech.com/support/forum/showthread.php?t=4078"
},
{
"name": "20100613 Litespeed Technologies Web Server Remote Poison null byte Zero-Day",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2010/Jun/288"
},
{
"name": "40815",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/40815"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-2333",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scripts via an HTTP request with a null byte followed by a .txt file extension."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "13850",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/13850"
},
{
"name": "http://www.litespeedtech.com/latest/litespeed-web-server-4.0.15-released.html",
"refsource": "CONFIRM",
"url": "http://www.litespeedtech.com/latest/litespeed-web-server-4.0.15-released.html"
},
{
"name": "65476",
"refsource": "OSVDB",
"url": "http://osvdb.org/65476"
},
{
"name": "40128",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/40128"
},
{
"name": "http://www.litespeedtech.com/support/forum/showthread.php?t=4078",
"refsource": "MISC",
"url": "http://www.litespeedtech.com/support/forum/showthread.php?t=4078"
},
{
"name": "20100613 Litespeed Technologies Web Server Remote Poison null byte Zero-Day",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2010/Jun/288"
},
{
"name": "40815",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/40815"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-2333",
"datePublished": "2010-06-18T20:00:00.000Z",
"dateReserved": "2010-06-18T00:00:00.000Z",
"dateUpdated": "2024-08-07T02:32:16.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-31386 (GCVE-0-2026-31386)
Vulnerability from cvelistv5 – Published: 2026-03-16 05:21 – Updated: 2026-03-16 15:29
VLAI
Summary
OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LiteSpeed Technologies | OpenLiteSpeed |
Affected:
all versions
|
|
| LiteSpeed Technologies | LSWS Enterprise |
Affected:
all versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T15:28:55.405089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:29:03.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenLiteSpeed",
"vendor": "LiteSpeed Technologies",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"product": "LSWS Enterprise",
"vendor": "LiteSpeed Technologies",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T05:21:13.948Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://openlitespeed.org/"
},
{
"url": "https://www.litespeedtech.com/products/litespeed-web-server"
},
{
"url": "https://jvn.jp/en/jp/JVN22152812/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-31386",
"datePublished": "2026-03-16T05:21:13.948Z",
"dateReserved": "2026-03-09T09:07:18.132Z",
"dateUpdated": "2026-03-16T15:29:03.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54939 (GCVE-0-2025-54939)
Vulnerability from cvelistv5 – Published: 2025-08-01 00:00 – Updated: 2025-08-20 19:55
VLAI
Summary
LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| litespeedtech | LSQUIC |
Affected:
0 , < 4.3.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-01T17:49:17.600012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T17:49:41.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LSQUIC",
"vendor": "litespeedtech",
"versions": [
{
"lessThan": "4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:litespeedtech:lsquic:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T19:55:50.645Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/litespeedtech/lsquic/blob/70486141724f85e97b08f510673e29f399bbae8f/CHANGELOG#L1-L3"
},
{
"url": "https://github.com/litespeedtech/lsquic/commit/4cd9252e77fb4a36b572e2167a84067d603d3b23"
},
{
"url": "https://www.imperva.com/blog/quic-leak-cve-2025-54939-new-high-risk-pre-handshake-remote-denial-of-service-in-lsquic-quic-implementation/"
},
{
"url": "https://blog.litespeedtech.com/2025/08/18/litespeed-security-update/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-54939",
"datePublished": "2025-08-01T00:00:00.000Z",
"dateReserved": "2025-08-01T00:00:00.000Z",
"dateUpdated": "2025-08-20T19:55:50.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4871 (GCVE-0-2012-4871)
Vulnerability from cvelistv5 – Published: 2012-09-06 21:00 – Updated: 2024-08-06 20:50
VLAI
Summary
Cross-site scripting (XSS) vulnerability in service/graph_html.php in the administrator panel in LiteSpeed Web Server 4.1.11 allows remote attackers to inject arbitrary web script or HTML via the gtitle parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://packetstormsecurity.org/files/110974/LiteS… | x_refsource_MISC |
| http://secunia.com/advisories/48400 | third-party-advisoryx_refsource_SECUNIA |
| http://k1p0d.com/?p=25 | x_refsource_MISC |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
Date Public
2012-03-18 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:50:17.505Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/110974/LiteSpeed-4.1.11-Cross-Site-Scripting.html"
},
{
"name": "48400",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48400"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://k1p0d.com/?p=25"
},
{
"name": "litespeed-graphhtml-xss(74144)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74144"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-03-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in service/graph_html.php in the administrator panel in LiteSpeed Web Server 4.1.11 allows remote attackers to inject arbitrary web script or HTML via the gtitle parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/110974/LiteSpeed-4.1.11-Cross-Site-Scripting.html"
},
{
"name": "48400",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48400"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://k1p0d.com/?p=25"
},
{
"name": "litespeed-graphhtml-xss(74144)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74144"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-4871",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in service/graph_html.php in the administrator panel in LiteSpeed Web Server 4.1.11 allows remote attackers to inject arbitrary web script or HTML via the gtitle parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.org/files/110974/LiteSpeed-4.1.11-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/110974/LiteSpeed-4.1.11-Cross-Site-Scripting.html"
},
{
"name": "48400",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48400"
},
{
"name": "http://k1p0d.com/?p=25",
"refsource": "MISC",
"url": "http://k1p0d.com/?p=25"
},
{
"name": "litespeed-graphhtml-xss(74144)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74144"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-4871",
"datePublished": "2012-09-06T21:00:00.000Z",
"dateReserved": "2012-09-06T00:00:00.000Z",
"dateUpdated": "2024-08-06T20:50:17.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-2333 (GCVE-0-2010-2333)
Vulnerability from cvelistv5 – Published: 2010-06-18 20:00 – Updated: 2024-08-07 02:32
VLAI
Summary
LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scripts via an HTTP request with a null byte followed by a .txt file extension.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
7 references
| URL | Tags |
|---|---|
| http://www.exploit-db.com/exploits/13850 | exploitx_refsource_EXPLOIT-DB |
| http://www.litespeedtech.com/latest/litespeed-web… | x_refsource_CONFIRM |
| http://osvdb.org/65476 | vdb-entryx_refsource_OSVDB |
| http://secunia.com/advisories/40128 | third-party-advisoryx_refsource_SECUNIA |
| http://www.litespeedtech.com/support/forum/showth… | x_refsource_MISC |
| http://seclists.org/fulldisclosure/2010/Jun/288 | mailing-listx_refsource_FULLDISC |
| http://www.securityfocus.com/bid/40815 | vdb-entryx_refsource_BID |
Date Public
2010-06-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T02:32:16.249Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "13850",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/13850"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.litespeedtech.com/latest/litespeed-web-server-4.0.15-released.html"
},
{
"name": "65476",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/65476"
},
{
"name": "40128",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/40128"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.litespeedtech.com/support/forum/showthread.php?t=4078"
},
{
"name": "20100613 Litespeed Technologies Web Server Remote Poison null byte Zero-Day",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2010/Jun/288"
},
{
"name": "40815",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/40815"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scripts via an HTTP request with a null byte followed by a .txt file extension."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-07-13T09:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "13850",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/13850"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.litespeedtech.com/latest/litespeed-web-server-4.0.15-released.html"
},
{
"name": "65476",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/65476"
},
{
"name": "40128",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/40128"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.litespeedtech.com/support/forum/showthread.php?t=4078"
},
{
"name": "20100613 Litespeed Technologies Web Server Remote Poison null byte Zero-Day",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2010/Jun/288"
},
{
"name": "40815",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/40815"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-2333",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scripts via an HTTP request with a null byte followed by a .txt file extension."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "13850",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/13850"
},
{
"name": "http://www.litespeedtech.com/latest/litespeed-web-server-4.0.15-released.html",
"refsource": "CONFIRM",
"url": "http://www.litespeedtech.com/latest/litespeed-web-server-4.0.15-released.html"
},
{
"name": "65476",
"refsource": "OSVDB",
"url": "http://osvdb.org/65476"
},
{
"name": "40128",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/40128"
},
{
"name": "http://www.litespeedtech.com/support/forum/showthread.php?t=4078",
"refsource": "MISC",
"url": "http://www.litespeedtech.com/support/forum/showthread.php?t=4078"
},
{
"name": "20100613 Litespeed Technologies Web Server Remote Poison null byte Zero-Day",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2010/Jun/288"
},
{
"name": "40815",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/40815"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-2333",
"datePublished": "2010-06-18T20:00:00.000Z",
"dateReserved": "2010-06-18T00:00:00.000Z",
"dateUpdated": "2024-08-07T02:32:16.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}