Primary

Context

OpenLiteSpeed Stored Cross-Site Scripting Vulnerability in Notes Parameter

Vulnerability

A stored cross-site scripting vulnerability has been identified in OpenLiteSpeed version 1.7.9. This issue resides in the dashboard's Notes parameter, allowing administrators to inject malicious scripts. The vulnerability can be exploited by crafting a payload in the Notes field during listener configuration, which will execute when an administrator clicks on the Default Icon.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the OpenLiteSpeed dashboard as an administrator. Navigate to 'Listeners' and select 'Summary'. Click on 'Actions', then 'View', and choose 'Edit'. In the 'Notes' parameter, inject a script payload, such as a JavaScript alert. After saving the changes, perform a graceful restart. The injected script will execute when the Default Icon is clicked.

Added: Jan 21, 2026, 6:25 PM

Updated: Jan 21, 2026, 6:25 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

6.0

exploitability

6.0

remediation

0.0

relevance

2.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

6.0

exploitability

6.0

remediation

0.0

relevance

2.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenLiteSpeed Stored Cross-Site Scripting Vulnerability in Notes Parameter

Vulnerability

Impact

Reproduction

Affected Products

OpenLiteSpeed

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating