VYPR

Wso2 Traffic Manager

by Wso2

CVEs (13)

  • CVE-2025-13590Feb 19, 2026
    risk 0.00cvss epss 0.01

    A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote…

  • CVE-2025-9312Nov 18, 2025
    risk 0.00cvss epss 0.00

    A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the…

  • CVE-2025-6670Nov 18, 2025
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is…

  • CVE-2025-10853Nov 5, 2025
    risk 0.00cvss epss 0.00

    A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. …

  • CVE-2025-11093Nov 5, 2025
    risk 0.00cvss epss 0.00

    An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. …

  • CVE-2025-10907Nov 5, 2025
    risk 0.00cvss epss 0.00

    An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location…

  • CVE-2025-10713Nov 5, 2025
    risk 0.00cvss epss 0.00

    An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could…

  • CVE-2025-3125Nov 5, 2025
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the…

  • CVE-2025-5605Oct 24, 2025
    risk 0.00cvss epss 0.01

    An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information…

  • CVE-2025-5350Oct 24, 2025
    risk 0.00cvss epss 0.01

    SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF).…

  • CVE-2025-5717Sep 23, 2025
    risk 0.00cvss epss 0.01

    An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution…

  • CVE-2025-4760Sep 23, 2025
    risk 0.00cvss epss 0.00

    An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing…

  • CVE-2024-8008Jun 2, 2025
    risk 0.00cvss epss 0.00

    A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request,…