This page lists publicly disclosed CVE vulnerabilities affecting litespeedtech litespeed_web_server (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-31386 | OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege. | [email protected] | 8.6 | 0.16% | 2026-03-16 | 2026-06-08 |
| CVE-2025-54939 | LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak. | [email protected] | 5.3 | 0.56% | 2025-08-01 | 2025-08-27 |
| CVE-2012-4871 | Cross-site scripting (XSS) vulnerability in service/graph_html.php in the administrator panel in LiteSpeed Web Server 4.1.11 allows remote attackers to inject arbitrary web script or HTML via the gtitle parameter. | [email protected] | 4.3 | 5.45% | 2012-09-06 | 2026-04-29 |
| CVE-2010-2333 | LiteSpeed Technologies LiteSpeed Web Server 4.0.x before 4.0.15 allows remote attackers to read the source code of scripts via an HTTP request with a null byte followed by a .txt file extension. | [email protected] | 5.0 | 76.49% | 2010-06-18 | 2026-04-29 |
| CVE-2004-0112 | The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. | [email protected] | 5.0 | 0.92% | 2004-11-23 | 2026-04-16 |