{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31386", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-03-09T09:07:18.132Z", "datePublished": "2026-03-16T05:21:13.948Z", "dateUpdated": "2026-03-16T15:29:03.838Z"}, "containers": {"cna": {"affected": [{"vendor": "LiteSpeed Technologies", "product": "OpenLiteSpeed", "versions": [{"version": "all versions", "status": "affected"}]}, {"vendor": "LiteSpeed Technologies", "product": "LSWS Enterprise", "versions": [{"version": "all versions", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege."}], "problemTypes": [{"descriptions": [{"description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')", "lang": "en-US", "cweId": "CWE-78", "type": "CWE"}]}], "references": [{"url": "https://openlitespeed.org/"}, {"url": "https://www.litespeedtech.com/products/litespeed-web-server"}, {"url": "https://jvn.jp/en/jp/JVN22152812/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-16T05:21:13.948Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T15:28:55.405089Z", "id": "CVE-2026-31386", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:29:03.838Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31386", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T15:28:55.405089Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:28:59.211Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "LiteSpeed Technologies", "product": "OpenLiteSpeed", "versions": [{"status": "affected", "version": "all versions"}]}, {"vendor": "LiteSpeed Technologies", "product": "LSWS Enterprise", "versions": [{"status": "affected", "version": "all versions"}]}], "references": [{"url": "https://openlitespeed.org/"}, {"url": "https://www.litespeedtech.com/products/litespeed-web-server"}, {"url": "https://jvn.jp/en/jp/JVN22152812/"}], "descriptions": [{"lang": "en", "value": "OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-78", "description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-03-16T05:21:13.948Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31386", "state": "PUBLISHED", "dateUpdated": "2026-03-16T15:29:03.838Z", "dateReserved": "2026-03-09T09:07:18.132Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-03-16T05:21:13.948Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"product": "OpenLiteSpeed", "vendor": "LiteSpeed Technologies", "versions": [{"status": "affected", "version": "all versions"}]}, {"product": "LSWS Enterprise", "vendor": "LiteSpeed Technologies", "versions": [{"status": "affected", "version": "all versions"}]}], "source": "vultures@jpcert.or.jp"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:litespeedtech:litespeed_web_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABF7A1D1-3E17-49C5-81B2-8229E67B80F2", "versionEndExcluding": "6.3.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:litespeedtech:openlitespeed:*:*:*:*:*:*:*:*", "matchCriteriaId": "7359C0A2-D90D-4062-89F6-DE4EAE5DF2A2", "versionEndIncluding": "1.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege."}, {"lang": "es", "value": "OpenLiteSpeed y LSWS Enterprise proporcionados por LiteSpeed Technologies contienen una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo. Un comando arbitrario del sistema operativo puede ser ejecutado por un atacante con privilegios administrativos."}], "id": "CVE-2026-31386", "lastModified": "2026-06-17T10:33:36.717", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-31386", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "role": "CISA Coordinator", "timestamp": "2026-03-16T15:28:55.405089Z", "version": "2.0.3"}}]}, "published": "2026-03-16T14:19:33.170", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN22152812/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product"], "url": "https://openlitespeed.org/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product"], "url": "https://www.litespeedtech.com/products/litespeed-web-server"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LSWS Enterprise", "source": "cna", "vendor": "LiteSpeed Technologies"}, "product": "lsws_enterprise", "vendor": "litespeed_technologies"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenLiteSpeed", "source": "cna", "vendor": "LiteSpeed Technologies"}, "product": "openlitespeed", "vendor": "litespeed_technologies"}], "created": "2026-03-17T09:55:00.725696+00:00", "updated": "2026-06-18T13:45:05.899113+00:00", "vendors": ["litespeed_technologies", "litespeed_technologies$PRODUCT$lsws_enterprise", "litespeed_technologies$PRODUCT$openlitespeed"]}