Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

WSO2 — Vulnerabilities & Security Advisories 56

Browse all 56 CVE security advisories affecting WSO2. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top 10 Products WSO2:WSO2 API ManagerWSO2 Identity ServerWSO2 Enterprise IntegratorWSO2 Identity Server as Key ManagerWSO2 Open Banking IAMcarbon-registryWSO2 Open Banking AMWSO2 API Manager WSO2 Micro Integrator
CVE IDTitleCVSSSeverityPaused
CVE-2025-12624 Improper Token Invalidation in WSO2 Identity Server Allows Access After Account Lock — WSO2 Identity ServerCWE-613 6.0 Medium2026-04-16
CVE-2025-6024 Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites — WSO2 API ManagerCWE-79 6.1 Medium2026-04-16
CVE-2024-10242 Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 API Manager Allows UI Modification and Redirection — WSO2 API ManagerCWE-79 6.1 Medium2026-04-16
CVE-2024-8010 XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files — WSO2 API ManagerCWE-611 3.5 Low2026-04-16
CVE-2024-4867 Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval — WSO2 API ManagerCWE-79 5.4 Medium2026-04-16
CVE-2024-2374 XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service — WSO2 API ManagerCWE-611 7.5 High2026-04-16
CVE-2024-1524 A local user can be impersonated when using federated authentication with Silent JIT Provisioning. — WSO2 API ManagerCWE-290 7.7 High2026-02-24
CVE-2025-13590 Authenticated arbitrary file upload via a System REST API requiring administrator permission. — WSO2 API Manager 9.1 Critical2026-02-19
CVE-2025-12107 Potential authenticated Server-Side Template Injection (SSTI) vulnerability. — WSO2 Identity ServerCWE-1336 8.4 High2026-02-19
CVE-2025-9312 Improper Certificate-Based Authentication Enforcement in Multiple WSO2 Products — WSO2 API ManagerCWE-306 9.8 Critical2025-11-18
CVE-2025-6670 Cross-Site Request Forgery (CSRF) in Multiple WSO2 Products via HTTP GET in Admin Services — WSO2 Open Banking AMCWE-352 8.8 High2025-11-18
CVE-2025-10853 Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding — WSO2 Open Banking IAMCWE-79 5.2 Medium2025-11-05
CVE-2025-5770 Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2 Products — WSO2 Identity ServerCWE-79 6.1 Medium2025-11-05
CVE-2025-11093 Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS) — WSO2 Micro IntegratorCWE-94 8.4 High2025-11-05
CVE-2025-10907 Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution — WSO2 API ManagerCWE-434 8.4 High2025-11-05
CVE-2025-10713 XML External Entity (XXE) Vulnerability in Multiple WSO2 Products Due to Improper XML Parser Configuration — WSO2 Enterprise IntegratorCWE-611 6.5 Medium2025-11-05
CVE-2025-3125 Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution — WSO2 Identity ServerCWE-434 6.7 Medium2025-11-05
CVE-2025-5605 Authentication Bypass via URI Manipulation in Multiple WSO2 Products' Management Console Leading to Partial Information Disclosure — WSO2 Identity Server 4.3 Medium2025-10-24
CVE-2025-5350 SSRF and Reflected XSS Vulnerability in Deprecated Try-It Feature of Multiple WSO2 Products — WSO2 Identity ServerCWE-918 5.9 Medium2025-10-24
CVE-2025-9152 Improper Privilege Management in Multiple WSO2 API Manager via keymanager-operations DCR Endpoint — WSO2 API Manager 9.8 Critical2025-10-16
CVE-2025-9804 Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs — WSO2 Identity Server as Key Manager 8.9 High2025-10-16
CVE-2025-9955 Improper Access Control in WSO2 Enterprise Integrator Product via SOAP Admin Services for Logs and User-Store Configuration — WSO2 Enterprise Integrator 5.7 Medium2025-10-16
CVE-2025-10611 Potential Broken Access Control in Multiple WSO2 Products via System REST APIs — WSO2 API Manager 9.8 Critical2025-10-16
CVE-2025-1862 Authenticated Arbitrary File Upload in Multiple WSO2 Products via BPEL Uploader SOAP Service Leading to Remote Code Execution — WSO2 Enterprise IntegratorCWE-434 6.7 Medium2025-09-26
CVE-2025-1396 Username Enumeration in Multiple WSO2 Products with Multi-Attribute Login Enabled — WSO2 Identity ServerCWE-203 3.7 Low2025-09-26
CVE-2025-0672 Authentication Bypass in Multiple WSO2 Products via Stale FIDO Credential Association — WSO2 Identity Server as Key Manager 3.3 Low2025-09-23
CVE-2025-0209 Reflected Cross-Site Scripting (XSS) in WSO2 Identity Server Account Registration Flow — WSO2 Identity ServerCWE-79 6.1 Medium2025-09-23
CVE-2025-0663 Potential cross-tenant account takeover vulnerability in Multiple WSO2 Products via Adaptive Authentication and Auto-Login — WSO2 Open Banking IAM 6.8 Medium2025-09-23
CVE-2024-6429 Content Spoofing in Multiple WSO2 Products via Error Message Injection — WSO2 Identity Server as Key Manager 4.3 Medium2025-09-23
CVE-2025-5717 Authenticated Remote Code Execution in Multiple WSO2 Products via Event Processor Admin Service — WSO2 API ManagerCWE-94 6.8 Medium2025-09-23

This page lists every published CVE security advisory associated with WSO2. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.