For all my VMX installations, I turned off the local status page. I do this because if you have it open to the Internet then anyone on the Internet can access it by default, and I feel it exposes too much information.
I've done that long time ago and it still recognizes lighttpd as active
that's response from support All the CVEs you listed require the use of specific plugins within lighttpd that Meraki does not rely on, nor implement: therefore, (v)MX devices are not vulnerable to this exploit. It is common for vulnerability scanners to simply check the running version of a given application and flag alerts based solely on that information, which is likely why you received this alert, but it can be safely ignored.