Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

WSO2 — Vulnerabilities & Security Advisories 57

Browse all 57 CVE security advisories affecting WSO2. AI-powered Chinese analysis, POCs, and references for each vulnerability.

WSO2 provides an open-source platform for API management, identity and access management, and enterprise integration. Its middleware architecture, which facilitates complex digital transformations, has historically been a target for attackers due to its broad attack surface. The 57 recorded Common Vulnerabilities and Exposures (CVEs) predominantly involve remote code execution, cross-site scripting, and authentication bypass flaws. These issues often stem from improper input validation and insecure default configurations within its API gateway and identity server components. While no single catastrophic breach has defined the vendor’s public history, the high volume of vulnerabilities indicates systemic weaknesses in code review processes for legacy modules. Security practitioners must prioritize patching these known exploits, particularly those affecting exposed management consoles, to prevent unauthorized access and data exfiltration in enterprise environments relying on this integration suite.

Top products by WSO2: WSO2 API Manager WSO2 Identity Server WSO2 Enterprise Integrator WSO2 Identity Server as Key Manager WSO2 Open Banking IAM carbon-registry WSO2 Open Banking AM WSO2 API Manager WSO2 Micro Integrator
CVE IDTitleCVSSSeverityPublished
CVE-2025-5717 Authenticated Remote Code Execution in Multiple WSO2 Products via Event Processor Admin Service — WSO2 API ManagerCWE-94 6.8 Medium2025-09-23
CVE-2025-4760 Authenticated Stored Cross-Site Scripting (XSS) in Multiple WSO2 Products via API Document Upload in Publisher — WSO2 API ManagerCWE-79 4.8 Medium2025-09-23
CVE-2024-4598 Information Disclosure in Multiple WSO2 Products Due to Improper Handling in Enrich Mediator — WSO2 API Manager 6.5 Medium2025-09-23
CVE-2024-3511 Incorrect Authorization in Multiple WSO2 Products Allows Unauthorized Access to Registry Versioned Files — WSO2 Enterprise IntegratorCWE-863 4.3 Medium2025-06-23
CVE-2024-1440 Open Redirection in Multiple WSO2 Products via Multi-Option Authentication Endpoint — WSO2 Identity ServerCWE-601 5.4 Medium2025-06-02
CVE-2024-8008 Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products via JDBC User Store Connection Validation — WSO2 Enterprise IntegratorCWE-79 5.2 Medium2025-06-02
CVE-2024-3509 Stored Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products via Rich Text Editor — WSO2 Enterprise IntegratorCWE-79 4.3 Medium2025-06-02
CVE-2024-7074 Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Service Leading to Remote Code Execution — WSO2 Enterprise IntegratorCWE-434 6.8 Medium2025-06-02
CVE-2024-7073 Unauthenticated Server-Side Request Forgery (SSRF) in Multiple WSO2 Products via SOAP Admin Services — WSO2 Identity Server as Key ManagerCWE-918 6.5 Medium2025-06-02
CVE-2024-7097 Incorrect Authorization in Multiple WSO2 Products via SOAP Admin Service Allowing Unauthorized User Signup — WSO2 Open Banking AM 4.3 Medium2025-05-30
CVE-2024-7096 Privilege Escalation in Multiple WSO2 Products via SOAP Admin Service Due to Business Logic Flaw — WSO2 Open Banking IAMCWE-863 4.2 Medium2025-05-30
CVE-2024-5962 Reflected Cross-Site Scripting (XSS) in Authentication Endpoint of Multiple WSO2 Products Due to Missing Output Encoding — WSO2 API ManagerCWE-79 6.1 Medium2025-05-22
CVE-2024-7487 Improper Authentication in WSO2 Identity Server 7.0.0 Allows Bypass of App-Native Authentication — WSO2 Identity ServerCWE-287 5.8 Medium2025-05-22
CVE-2024-7103 Reflected Cross-Site Scripting (XSS) in WSO2 Identity Server 7.0.0 Sub-Organization Login Flow — WSO2 Identity ServerCWE-79 4.6 Medium2025-05-22
CVE-2024-6914 Incorrect Authorization in Multiple WSO2 Products via Account Recovery SOAP Admin Service Leading to Account Takeover — WSO2 API ManagerCWE-863 8.8 High2025-05-22
CVE-2025-2905 An XML External Entity (XXE) vulnerability in Multiple WSO2 Products — WSO2 API ManagerCWE-611 9.1 Critical2025-05-05
CVE-2024-5848 Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products Due to Improper Input Validation — WSO2 API ManagerCWE-79 6.1 Medium2025-02-27
CVE-2024-0392 Cross-Site Request Forgery (CSRF) in WSO2 Enterprise Integrator 6.6.0 Management Console Due to Missing CSRF Token Validation — WSO2 Enterprise IntegratorCWE-352 5.4 Medium2025-02-27
CVE-2024-2321 Incorrect Authorization in Multiple WSO2 Products Allows API Access via Refresh Token — WSO2 API ManagerCWE-863 5.6 Medium2025-02-27
CVE-2023-6911 部分WSO2产品 跨站脚本漏洞 — WSO2 API ManagerCWE-79 4.8 Medium2023-12-18
CVE-2023-6839 WSO2 API Manager 安全漏洞 — WSO2 API ManagerCWE-209 5.3 Medium2023-12-15
CVE-2023-6838 WSO2 API Manager 跨站脚本漏洞 — WSO2 API ManagerCWE-79 6.1 Medium2023-12-15
CVE-2023-6837 Incorrect Authorization in Multiple WSO2 Products via Federated Authentication with JIT Provisioning Leading to User Impersonation — WSO2 API ManagerCWE-863 8.5 High2023-12-15
CVE-2023-6836 WSO2 API Manager 安全漏洞 — WSO2 API Manager CWE-611 4.6 Medium2023-12-15
CVE-2023-6835 WSO2 API Manager 安全漏洞 — WSO2 API ManagerCWE-20 4.3 Medium2023-12-15
CVE-2022-4521 WSO2 carbon-registry Request Parameter cross site scripting — carbon-registryCWE-79 3.5 Low2022-12-15
CVE-2022-4520 WSO2 carbon-registry Advanced Search advancedSearchForm-ajaxprocessor.jsp cross site scripting — carbon-registryCWE-707 3.5 Low2022-12-15

This page lists every published CVE security advisory associated with WSO2. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.