Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

WSO2 — Vulnerabilities & Security Advisories 57

Browse all 57 CVE security advisories affecting WSO2. AI-powered Chinese analysis, POCs, and references for each vulnerability.

WSO2 provides an open-source platform for API management, identity and access management, and enterprise integration. Its middleware architecture, which facilitates complex digital transformations, has historically been a target for attackers due to its broad attack surface. The 57 recorded Common Vulnerabilities and Exposures (CVEs) predominantly involve remote code execution, cross-site scripting, and authentication bypass flaws. These issues often stem from improper input validation and insecure default configurations within its API gateway and identity server components. While no single catastrophic breach has defined the vendor’s public history, the high volume of vulnerabilities indicates systemic weaknesses in code review processes for legacy modules. Security practitioners must prioritize patching these known exploits, particularly those affecting exposed management consoles, to prevent unauthorized access and data exfiltration in enterprise environments relying on this integration suite.

Found 24 results / 57Clear Filters
Top products by WSO2: WSO2 API Manager WSO2 Identity Server WSO2 Enterprise Integrator WSO2 Identity Server as Key Manager WSO2 Open Banking IAM carbon-registry WSO2 Open Banking AM WSO2 API Manager WSO2 Micro Integrator
CVE IDTitleCVSSSeverityPublished
CVE-2025-6024 Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites — WSO2 API ManagerCWE-79 6.1 Medium2026-04-16
CVE-2024-10242 Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 API Manager Allows UI Modification and Redirection — WSO2 API ManagerCWE-79 6.1 Medium2026-04-16
CVE-2024-8010 XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files — WSO2 API ManagerCWE-611 3.5 Low2026-04-16
CVE-2024-4867 Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval — WSO2 API ManagerCWE-79 5.4 Medium2026-04-16
CVE-2024-2374 XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service — WSO2 API ManagerCWE-611 7.5 High2026-04-16
CVE-2024-1524 A local user can be impersonated when using federated authentication with Silent JIT Provisioning. — WSO2 API ManagerCWE-290 7.7 High2026-02-24
CVE-2025-13590 Authenticated arbitrary file upload via a System REST API requiring administrator permission. — WSO2 API Manager 9.1 Critical2026-02-19
CVE-2025-9312 Improper Certificate-Based Authentication Enforcement in Multiple WSO2 Products — WSO2 API ManagerCWE-306 9.8 Critical2025-11-18
CVE-2025-10907 Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution — WSO2 API ManagerCWE-434 8.4 High2025-11-05
CVE-2025-9152 Improper Privilege Management in Multiple WSO2 API Manager via keymanager-operations DCR Endpoint — WSO2 API Manager 9.8 Critical2025-10-16
CVE-2025-10611 Potential Broken Access Control in Multiple WSO2 Products via System REST APIs — WSO2 API Manager 9.8 Critical2025-10-16
CVE-2025-5717 Authenticated Remote Code Execution in Multiple WSO2 Products via Event Processor Admin Service — WSO2 API ManagerCWE-94 6.8 Medium2025-09-23
CVE-2025-4760 Authenticated Stored Cross-Site Scripting (XSS) in Multiple WSO2 Products via API Document Upload in Publisher — WSO2 API ManagerCWE-79 4.8 Medium2025-09-23
CVE-2024-4598 Information Disclosure in Multiple WSO2 Products Due to Improper Handling in Enrich Mediator — WSO2 API Manager 6.5 Medium2025-09-23
CVE-2024-5962 Reflected Cross-Site Scripting (XSS) in Authentication Endpoint of Multiple WSO2 Products Due to Missing Output Encoding — WSO2 API ManagerCWE-79 6.1 Medium2025-05-22
CVE-2024-6914 Incorrect Authorization in Multiple WSO2 Products via Account Recovery SOAP Admin Service Leading to Account Takeover — WSO2 API ManagerCWE-863 8.8 High2025-05-22
CVE-2025-2905 An XML External Entity (XXE) vulnerability in Multiple WSO2 Products — WSO2 API ManagerCWE-611 9.1 Critical2025-05-05
CVE-2024-5848 Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products Due to Improper Input Validation — WSO2 API ManagerCWE-79 6.1 Medium2025-02-27
CVE-2024-2321 Incorrect Authorization in Multiple WSO2 Products Allows API Access via Refresh Token — WSO2 API ManagerCWE-863 5.6 Medium2025-02-27
CVE-2023-6911 部分WSO2产品 跨站脚本漏洞 — WSO2 API ManagerCWE-79 4.8 Medium2023-12-18
CVE-2023-6839 WSO2 API Manager 安全漏洞 — WSO2 API ManagerCWE-209 5.3 Medium2023-12-15
CVE-2023-6838 WSO2 API Manager 跨站脚本漏洞 — WSO2 API ManagerCWE-79 6.1 Medium2023-12-15
CVE-2023-6837 Incorrect Authorization in Multiple WSO2 Products via Federated Authentication with JIT Provisioning Leading to User Impersonation — WSO2 API ManagerCWE-863 8.5 High2023-12-15
CVE-2023-6835 WSO2 API Manager 安全漏洞 — WSO2 API ManagerCWE-20 4.3 Medium2023-12-15

This page lists every published CVE security advisory associated with WSO2. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.