CVE-2023-40000

Published Apr 16, 2024

Last updated a month ago

CVSS high 8.3
XSS

Overview

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.
Source
audit@patchstack.com
NVD status
Modified
Products
litespeed_cache

Risk scores

CVSS 3.1

Type
Primary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

audit@patchstack.com
CWE-79

Social media

Hype score
Not currently trending

  1. SolarWinds Web Help Desk has a critical pre-auth RCE chain (CVE-2023-40000-02). Unauthenticated attackers can execute code on the server. Patch to v12.8.2 or later. Stay ahead of attackers. Follow for daily updates.

    @cybrmaker

    2 Mar 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 CVE-2023-40000 - high 🚨 LiteSpeed Cache <= 5.7 - Unauthenticated Stored XSS > Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ... 👾 https://t.co/TUmvZtYocq @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    19 Sept 2025

    254 Impressions

    0 Retweets

    6 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  3. Threat Alert: LiteSpeed Cache WordPress plugin bug lets hackers get admin access CVE-2024-50550 CVE-2023-40000 CVE-2024-28000 Severity: ⚠️ Critical Maturity: 💥 Mainstream Learn more: https://t.co/LoSwPs80iG #CyberSecurity #ThreatIntel #InfoSec (1/3)

    @fletch_ai

    31 Oct 2024

    32 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser.CVE-2026-29964
  2. NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that execute when news items are viewed by other users.CVE-2020-37236
  3. Microsoft Exchange Server Cross-Site Scripting VulnerabilityCVE-2026-42897
  4. Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.CVE-2026-34686
  5. A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header.CVE-2026-29933

References

Sources include official advisories and independent security research.