VYPR
Critical severityNVD Advisory· Published Feb 19, 2026· Updated Mar 6, 2026

Authenticated arbitrary file upload via a System REST API requiring administrator permission.

CVE-2025-13590

Description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.implMaven
< 9.32.1679.32.167

Affected products

4

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.