LiteSpeed Web Server changelog¶

Version 6.3.5¶

Build 1¶

Released: April 7, 2026

• [Security] Address a few remote exploitable vulnerabilities in HTTP/3 engine.
• [Bug Fix] Address the truncated Node.js application log issue when application being restarted.

Build 0¶

Released: March 24, 2026

• [Security] Additional sanitation checks for external application commands to address CVE-2026-31386.
• [Security] Add UnsafeAllow3F rewrite rule flag to address unsafe %3f-encoded URLs.
• [Tuning] Add Apache-style configuration ExtAppUdpHash on|off to control hash vs domain name in extapp domain socket address.
• [Bug Fix] Update CloudLinux CageFS detection method in LiteSpeed Containers management script.
• [Improvement] Add Apache configuration directive DisableHtaccessBlockbot to disable blockbot feature in .htaccess.
• [Bug Fix] Address compatibility issues with cPGuard ModSecurity ruleset.
• [Bug Fix] Address FreeBSD 15 + zfs posix_fallocate() error handling.
• [Bug Fix] Address a PROXY protocol client address update issue for HTTP requests.
• [Bug Fix] Address incorrect CPU affinity mask for external worker processes under a LXC container.
• [Bug Fix] Make Require local configuration work properly.
• [Bug Fix] Address an Apache SSL configuration problem with SSLCertificateChainFile directive.
• [Bug Fix] Address various corner cases in ModSecurity, HTTP/2, HTTP/3, rewrite and namespace.
• [Tuning] Increase VHost-level limit of number of access log files from 4 to 8.
• [Tuning] Server PUSH tracking cookie is now off by default.
• [Tuning] Better Googlebot User-Agent detection for different services.
• [Tuning] Skip some local domains for domain limited licenses.

Older versions¶

• Version 6.3
• Older release logs.