Skip to main content

OpenLiteSpeed EUVD-2026-12333

| CVE-2026-31386 HIGH
OS Command Injection (CWE-78)
2026-03-16 jpcert
Command Injection Openlitespeed Lsws Enterprise
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 08, 2026 - 13:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 08, 2026 - 13:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 08, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
Jun 08, 2026 - 13:22 NVD
7.2 (HIGH) 8.6 (HIGH)
EUVD ID Assigned
Mar 16, 2026 - 06:00 euvd
EUVD-2026-12333
Analysis Generated
Mar 16, 2026 - 06:00 vuln.today
CVE Published
Mar 16, 2026 - 05:21 nvd
HIGH 7.2

DescriptionCVE.org

OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.

AnalysisAI

OS command injection in OpenLiteSpeed and LSWS Enterprise web servers from LiteSpeed Technologies allows administrative users to execute arbitrary operating system commands on the host. The flaw affects all versions of both products per ENISA EUVD and was reported by JPCERT/CC via JVN. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WebAdmin admin credentials
Delivery
Reach admin console over network
Exploit
Submit crafted value with shell metacharacters
Execution
Server interpolates input into OS command
Persist
Arbitrary commands execute as server user
Impact
Establish persistence or pivot into host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must already hold administrative (WebAdmin) privileges on the OpenLiteSpeed or LSWS Enterprise instance (CVSS PR:H), and the WebAdmin interface must be reachable over the network from the attacker's position (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N) describes a network-reachable, low-complexity attack that requires high privileges (administrator) and no user interaction, yielding high impact on confidentiality, integrity, and availability of the vulnerable system but no scope change to other components. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained WebAdmin credentials - through credential reuse, phishing, a leaked backup, or an over-privileged delegated hosting account - authenticates to the OpenLiteSpeed or LSWS Enterprise administrative interface over the network. They submit a crafted configuration value containing shell metacharacters into a field that is later interpolated into an OS command by the server, causing arbitrary commands to execute as the server account. …
Remediation No vendor-released patch identified at time of analysis in the provided data; consult the JVN advisory at https://jvn.jp/en/jp/JVN22152812/ and the LiteSpeed Technologies product pages (https://openlitespeed.org/ and https://www.litespeedtech.com/products/litespeed-web-server) for the fixed release and upgrade to it as soon as available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all OpenLiteSpeed and LSWS Enterprise deployments; enforce multi-factor authentication on all administrative accounts; audit and revoke unnecessary administrative privileges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-12333 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy