PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31386 LiteSpeed Technologies CVE debrief

CVE-2026-31386 is an OS command injection vulnerability in OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies. An attacker with administrative privilege can execute an arbitrary OS command.

Vendor
LiteSpeed Technologies
Product
OpenLiteSpeed
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-16
Original CVE updated
2026-06-08
Advisory published
2026-03-16
Advisory updated
2026-06-08

Who should care

Administrators and users of OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability has a CVSS score of 8.6 and is classified as HIGH severity. The affected products are OpenLiteSpeed and LSWS Enterprise, with specific CPE criteria listed: cpe:2.3:a:litespeedtech:litespeed_web_server:*:*:*:*:*:*:*:* (up to 6.3.5) and cpe:2.3:a:litespeedtech:openlitespeed:*:*:*:*:*:*:*:* (up to 1.9.0). The weakness is categorized as CWE-78.

Defensive priority

high

Recommended defensive actions

  • Upgrade OpenLiteSpeed to a version greater than 1.9.0.
  • Upgrade LSWS Enterprise to a version greater than 6.3.5.
  • Refer to [ref-4](https://jvn.jp/en/jp/JVN22152812/) for additional mitigation or vendor reference.
  • Visit [ref-5](https://openlitespeed.org/) and [ref-6](https://www.litespeedtech.com/products/litespeed-web-server) for product information.

Evidence notes

The information is based on data from [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-31386) and [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-31386).

Official resources

CVE-2026-31386 was published on 2026-03-16T14:19:33.170Z and last modified on 2026-06-08T13:14:09.423Z.