WSO2 — Vulnerabilities & Security Advisories 57

Browse all 57 CVE security advisories affecting WSO2. AI-powered Chinese analysis, POCs, and references for each vulnerability.

WSO2 provides an open-source platform for API management, identity and access management, and enterprise integration. Its middleware architecture, which facilitates complex digital transformations, has historically been a target for attackers due to its broad attack surface. The 57 recorded Common Vulnerabilities and Exposures (CVEs) predominantly involve remote code execution, cross-site scripting, and authentication bypass flaws. These issues often stem from improper input validation and insecure default configurations within its API gateway and identity server components. While no single catastrophic breach has defined the vendor’s public history, the high volume of vulnerabilities indicates systemic weaknesses in code review processes for legacy modules. Security practitioners must prioritize patching these known exploits, particularly those affecting exposed management consoles, to prevent unauthorized access and data exfiltration in enterprise environments relying on this integration suite.

Top products by WSO2: WSO2 API Manager WSO2 Identity Server WSO2 Enterprise Integrator WSO2 Identity Server as Key Manager WSO2 Open Banking IAM carbon-registry WSO2 Open Banking AM WSO2 API Manager WSO2 Micro Integrator

CVE ID	Title	CVSS	Severity	Published
CVE-2025-10503	Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 Identity Server — WSO2 Identity ServerCWE-79	6.1	Medium	2026-04-29
CVE-2025-12624	Improper Token Invalidation in WSO2 Identity Server Allows Access After Account Lock — WSO2 Identity ServerCWE-613	6.0	Medium	2026-04-16
CVE-2025-6024	Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites — WSO2 API ManagerCWE-79	6.1	Medium	2026-04-16
CVE-2024-10242	Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 API Manager Allows UI Modification and Redirection — WSO2 API ManagerCWE-79	6.1	Medium	2026-04-16
CVE-2024-8010	XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files — WSO2 API ManagerCWE-611	3.5	Low	2026-04-16
CVE-2024-4867	Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval — WSO2 API ManagerCWE-79	5.4	Medium	2026-04-16
CVE-2024-2374	XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service — WSO2 API ManagerCWE-611	7.5	High	2026-04-16
CVE-2024-1524	A local user can be impersonated when using federated authentication with Silent JIT Provisioning. — WSO2 API ManagerCWE-290	7.7	High	2026-02-24
CVE-2025-13590	Authenticated arbitrary file upload via a System REST API requiring administrator permission. — WSO2 API Manager	9.1	Critical	2026-02-19
CVE-2025-12107	Potential authenticated Server-Side Template Injection (SSTI) vulnerability. — WSO2 Identity ServerCWE-1336	8.4	High	2026-02-19
CVE-2025-9312	Improper Certificate-Based Authentication Enforcement in Multiple WSO2 Products — WSO2 API ManagerCWE-306	9.8	Critical	2025-11-18
CVE-2025-6670	Cross-Site Request Forgery (CSRF) in Multiple WSO2 Products via HTTP GET in Admin Services — WSO2 Open Banking AMCWE-352	8.8	High	2025-11-18
CVE-2025-10853	Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding — WSO2 Open Banking IAMCWE-79	5.2	Medium	2025-11-05
CVE-2025-5770	Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2 Products — WSO2 Identity ServerCWE-79	6.1	Medium	2025-11-05
CVE-2025-11093	Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS) — WSO2 Micro IntegratorCWE-94	8.4	High	2025-11-05
CVE-2025-10907	Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution — WSO2 API ManagerCWE-434	8.4	High	2025-11-05
CVE-2025-10713	XML External Entity (XXE) Vulnerability in Multiple WSO2 Products Due to Improper XML Parser Configuration — WSO2 Enterprise IntegratorCWE-611	6.5	Medium	2025-11-05
CVE-2025-3125	Authenticated Arbitrary File Upload in Multiple WSO2 Products via CarbonAppUploader Admin Service Leading to Remote Code Execution — WSO2 Identity ServerCWE-434	6.7	Medium	2025-11-05
CVE-2025-5605	Authentication Bypass via URI Manipulation in Multiple WSO2 Products' Management Console Leading to Partial Information Disclosure — WSO2 Identity Server	4.3	Medium	2025-10-24
CVE-2025-5350	SSRF and Reflected XSS Vulnerability in Deprecated Try-It Feature of Multiple WSO2 Products — WSO2 Identity ServerCWE-918	5.9	Medium	2025-10-24
CVE-2025-9152	Improper Privilege Management in Multiple WSO2 API Manager via keymanager-operations DCR Endpoint — WSO2 API Manager	9.8	Critical	2025-10-16
CVE-2025-9804	Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs — WSO2 Identity Server as Key Manager	8.9	High	2025-10-16
CVE-2025-9955	Improper Access Control in WSO2 Enterprise Integrator Product via SOAP Admin Services for Logs and User-Store Configuration — WSO2 Enterprise Integrator	5.7	Medium	2025-10-16
CVE-2025-10611	Potential Broken Access Control in Multiple WSO2 Products via System REST APIs — WSO2 API Manager	9.8	Critical	2025-10-16
CVE-2025-1862	Authenticated Arbitrary File Upload in Multiple WSO2 Products via BPEL Uploader SOAP Service Leading to Remote Code Execution — WSO2 Enterprise IntegratorCWE-434	6.7	Medium	2025-09-26
CVE-2025-1396	Username Enumeration in Multiple WSO2 Products with Multi-Attribute Login Enabled — WSO2 Identity ServerCWE-203	3.7	Low	2025-09-26
CVE-2025-0672	Authentication Bypass in Multiple WSO2 Products via Stale FIDO Credential Association — WSO2 Identity Server as Key Manager	3.3	Low	2025-09-23
CVE-2025-0209	Reflected Cross-Site Scripting (XSS) in WSO2 Identity Server Account Registration Flow — WSO2 Identity ServerCWE-79	6.1	Medium	2025-09-23
CVE-2025-0663	Potential cross-tenant account takeover vulnerability in Multiple WSO2 Products via Adaptive Authentication and Auto-Login — WSO2 Open Banking IAM	6.8	Medium	2025-09-23
CVE-2024-6429	Content Spoofing in Multiple WSO2 Products via Error Message Injection — WSO2 Identity Server as Key Manager	4.3	Medium	2025-09-23

This page lists every published CVE security advisory associated with WSO2. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

WSO2 — Vulnerabilities & Security Advisories 57