{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31386", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-09T09:07:18.132Z", "datePublished": "2026-03-16T05:21:13.948Z", "dateUpdated": "2026-03-16T15:29:03.838Z"}, "containers": {"cna": {"affected": [{"vendor": "LiteSpeed Technologies", "product": "OpenLiteSpeed", "versions": [{"version": "all versions", "status": "affected"}]}, {"vendor": "LiteSpeed Technologies", "product": "LSWS Enterprise", "versions": [{"version": "all versions", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege."}], "problemTypes": [{"descriptions": [{"description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')", "lang": "en-US", "cweId": "CWE-78", "type": "CWE"}]}], "references": [{"url": "https://openlitespeed.org/"}, {"url": "https://www.litespeedtech.com/products/litespeed-web-server"}, {"url": "https://jvn.jp/en/jp/JVN22152812/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-16T05:21:13.948Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T15:28:55.405089Z", "id": "CVE-2026-31386", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:29:03.838Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31386", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T15:28:55.405089Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:28:59.211Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "LiteSpeed Technologies", "product": "OpenLiteSpeed", "versions": [{"status": "affected", "version": "all versions"}]}, {"vendor": "LiteSpeed Technologies", "product": "LSWS Enterprise", "versions": [{"status": "affected", "version": "all versions"}]}], "references": [{"url": "https://openlitespeed.org/"}, {"url": "https://www.litespeedtech.com/products/litespeed-web-server"}, {"url": "https://jvn.jp/en/jp/JVN22152812/"}], "descriptions": [{"lang": "en", "value": "OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-78", "description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-16T05:21:13.948Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31386", "state": "PUBLISHED", "dateUpdated": "2026-03-16T15:29:03.838Z", "dateReserved": "2026-03-09T09:07:18.132Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-03-16T05:21:13.948Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege."}], "id": "CVE-2026-31386", "lastModified": "2026-03-16T14:53:07.390", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-03-16T14:19:33.170", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN22152812/"}, {"source": "vultures@jpcert.or.jp", "url": "https://openlitespeed.org/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.litespeedtech.com/products/litespeed-web-server"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LSWS Enterprise", "source": "cna", "vendor": "LiteSpeed Technologies"}, "product": "lsws_enterprise", "vendor": "litespeed_technologies"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenLiteSpeed", "source": "cna", "vendor": "LiteSpeed Technologies"}, "product": "openlitespeed", "vendor": "litespeed_technologies"}], "analysis": {"en": {"generated_at": "2026-03-17T11:43:31.615363+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011released patch for OpenLiteSpeed and LSWS Enterprise as soon as it becomes available.", "If a patch is not yet released, limit the administrative interface to trusted IP addresses and enforce multi\u2011factor authentication.", "Consider disabling or restricting features that allow arbitrary command execution, if supported by configuration.", "Continuously monitor for new advisories from LiteSpeed Technologies and apply updates promptly."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution via Administrative Privilege"}, "threat_synthesis": {"affected_systems": "The affected vendors and products are LiteSpeed Technologies: LSWS Enterprise and LiteSpeed Technologies: OpenLiteSpeed. No specific affected version ranges were provided in the CNA information, so all installations of these products are potentially vulnerable until a patch is applied.", "description_and_impact": "OpenLiteSpeed and LSWS Enterprise contain an OS command injection vulnerability that allows an attacker with administrative credentials to execute arbitrary operating system commands. This flaw is a classic example of CWE-78 (OS Command Injection) and can lead to full compromise of the targeted server, affecting confidentiality, integrity, and availability of all services hosted on the affected machine.", "risk_and_exploitability": "The CVSS v3.1 score of 8.6 classifies the vulnerability as \u2018High\u2019 severity, indicating the potential for significant impact if exploited. The EPSS score of less than 1% suggests low probability of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. However, the likely attack vector requires administrative access, implying that it is exploitable once an attacker or compromised admin account gains entry. Given the severity, systems should treat this as a priority risk."}}}}, "created": "2026-03-17T09:55:00.725696+00:00", "title": "Admin Command Injection Vulnerability in LiteSpeed OpenLiteSpeed and LSWS Enterprise", "updated": "2026-03-24T10:45:48.645161+00:00", "vendors": ["litespeed_technologies", "litespeed_technologies$PRODUCT$lsws_enterprise", "litespeed_technologies$PRODUCT$openlitespeed"]}