Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

WSO2 API Manager — Vulnerabilities & Security Advisories 25

All 25 CVE vulnerabilities found in WSO2 API Manager, with AI-generated Chinese analysis, references, and POCs.

This page aggregates security vulnerabilities associated with the WSO2 API Manager product, focusing on Common Weakness Enumeration (CWE) classifications and vendor-specific advisory tags. The collected data encompasses a comprehensive range of vulnerability types, including cross-site scripting, path traversal, and improper input validation, covering security incidents reported from the product’s initial releases through recent updates. By presenting this information in a structured format, the page allows users to track WSO2’s security advisory history, understand the specific manifestations of identified weakness classes within this API management platform, and look up the complete vulnerability history of the software. This aggregation serves as a centralized reference for security analysts, developers, and system administrators seeking to assess the risk profile of their WSO2 deployments. It provides context on how frequently certain vulnerabilities occur and how they have been addressed in subsequent patches or version releases. The data is sourced from official vendor disclosures and public vulnerability databases, ensuring accuracy and relevance for compliance and remediation planning. Users can navigate through chronological listings or filter by severity to identify critical issues that require immediate attention. This resource does not provide remediation instructions but rather offers a factual record of known defects. It is designed to support vulnerability management workflows by highlighting trends and recurrence patterns specific to the WSO2 API Manager ecosystem.

Vendor: WSO2

CVE IDTitleCVSSSeverityPublished
CVE-2025-8154 HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation CWE-74 5.3 Medium2026-05-11
CVE-2025-6024 Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites CWE-79 6.1 Medium2026-04-16
CVE-2024-10242 Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 API Manager Allows UI Modification and Redirection CWE-79 6.1 Medium2026-04-16
CVE-2024-8010 XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files CWE-611 3.5 Low2026-04-16
CVE-2024-4867 Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval CWE-79 5.4 Medium2026-04-16
CVE-2024-2374 XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service CWE-611 7.5 High2026-04-16
CVE-2024-1524 A local user can be impersonated when using federated authentication with Silent JIT Provisioning. CWE-290 7.7 High2026-02-24
CVE-2025-13590 Authenticated arbitrary file upload via a System REST API requiring administrator permission. 9.1 Critical2026-02-19
CVE-2025-9312 Improper Certificate-Based Authentication Enforcement in Multiple WSO2 Products CWE-306 9.8 Critical2025-11-18
CVE-2025-10907 Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution CWE-434 8.4 High2025-11-05
CVE-2025-9152 Improper Privilege Management in Multiple WSO2 API Manager via keymanager-operations DCR Endpoint 9.8 Critical2025-10-16
CVE-2025-10611 Potential Broken Access Control in Multiple WSO2 Products via System REST APIs 9.8 Critical2025-10-16
CVE-2025-5717 Authenticated Remote Code Execution in Multiple WSO2 Products via Event Processor Admin Service CWE-94 6.8 Medium2025-09-23
CVE-2025-4760 Authenticated Stored Cross-Site Scripting (XSS) in Multiple WSO2 Products via API Document Upload in Publisher CWE-79 4.8 Medium2025-09-23
CVE-2024-4598 Information Disclosure in Multiple WSO2 Products Due to Improper Handling in Enrich Mediator 6.5 Medium2025-09-23
CVE-2024-5962 Reflected Cross-Site Scripting (XSS) in Authentication Endpoint of Multiple WSO2 Products Due to Missing Output Encoding CWE-79 6.1 Medium2025-05-22
CVE-2024-6914 Incorrect Authorization in Multiple WSO2 Products via Account Recovery SOAP Admin Service Leading to Account Takeover CWE-863 8.8 High2025-05-22
CVE-2025-2905 An XML External Entity (XXE) vulnerability in Multiple WSO2 Products CWE-611 9.1 Critical2025-05-05
CVE-2024-5848 Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products Due to Improper Input Validation CWE-79 6.1 Medium2025-02-27
CVE-2024-2321 Incorrect Authorization in Multiple WSO2 Products Allows API Access via Refresh Token CWE-863 5.6 Medium2025-02-27
CVE-2023-6911 部分WSO2产品 跨站脚本漏洞 CWE-79 4.8 Medium2023-12-18
CVE-2023-6839 WSO2 API Manager 安全漏洞 CWE-209 5.3 Medium2023-12-15
CVE-2023-6838 WSO2 API Manager 跨站脚本漏洞 CWE-79 6.1 Medium2023-12-15
CVE-2023-6837 Incorrect Authorization in Multiple WSO2 Products via Federated Authentication with JIT Provisioning Leading to User Impersonation CWE-863 8.5 High2023-12-15
CVE-2023-6835 WSO2 API Manager 安全漏洞 CWE-20 4.3 Medium2023-12-15

All 25 known CVE vulnerabilities affecting WSO2 API Manager with full Chinese analysis, references, and POCs where available.