Critical severityNVD Advisory· Published Feb 19, 2026· Updated Mar 6, 2026
Authenticated arbitrary file upload via a System REST API requiring administrator permission.
CVE-2025-13590
Description
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.implMaven | < 9.32.167 | 9.32.167 |
Affected products
4- Range: 4.5.0
- Range: 9.28.116
- WSO2/WSO2 Universal Gatewayv5Range: 4.5.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-p6jf-79j3-33f3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13590ghsaADVISORY
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/mitrevendor-advisory
- github.com/wso2/carbon-apimgt/commit/49a6427b39a5d9552ce97430858bb4b1912a3044ghsaWEB
- github.com/wso2/carbon-apimgt/pull/13560ghsaWEB
- github.com/wso2/carbon-apimgt/releases/tag/v9.32.167ghsaWEB
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849ghsaWEB
News mentions
0No linked articles in our index yet.