Vendor CVEs
Wso2
All CVEs
24 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-14995 | Med | 0.40 | 6.1 | 0.01 | Oct 4, 2017 | The Management Console in WSO2 Application Server 5.3.0, WSO2 Business Process Server 3.6.0, WSO2 Business Rules Server 2.2.0, WSO2 Complex Event Processor 4.2.0, WSO2 Dashboard Server 2.0.0, WSO2 Data Analytics Server 3.1.0, WSO2 Data Services Server 3.5.1, and WSO2 Machine… | ||
| CVE-2017-14651 | Med | 0.32 | 4.8 | 0.04 | Sep 21, 2017 | WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter. | ||
| CVE-2024-7097 | 0.02 | — | 0.01 | May 30, 2025 | An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user… | |||
| CVE-2025-13590 | 0.00 | — | 0.01 | Feb 19, 2026 | A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote… | |||
| CVE-2025-9312 | 0.00 | — | 0.00 | Nov 18, 2025 | A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the… | |||
| CVE-2025-6670 | 0.00 | — | 0.00 | Nov 18, 2025 | A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is… | |||
| CVE-2025-10853 | 0.00 | — | 0.00 | Nov 5, 2025 | A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. … | |||
| CVE-2025-11093 | 0.00 | — | 0.00 | Nov 5, 2025 | An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. … | |||
| CVE-2025-10907 | 0.00 | — | 0.00 | Nov 5, 2025 | An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location… | |||
| CVE-2025-10713 | 0.00 | — | 0.00 | Nov 5, 2025 | An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could… | |||
| CVE-2025-3125 | 0.00 | — | 0.01 | Nov 5, 2025 | An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the… | |||
| CVE-2025-5605 | 0.00 | — | 0.01 | Oct 24, 2025 | An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information… | |||
| CVE-2025-5350 | 0.00 | — | 0.01 | Oct 24, 2025 | SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF).… | |||
| CVE-2025-9804 | 0.00 | — | 0.01 | Oct 16, 2025 | An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing… | |||
| CVE-2025-9955 | 0.00 | — | 0.00 | Oct 16, 2025 | An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store… | |||
| CVE-2025-10611 | 0.00 | — | 0.01 | Oct 16, 2025 | Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a… | |||
| CVE-2025-5717 | 0.00 | — | 0.01 | Sep 23, 2025 | An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution… | |||
| CVE-2025-4760 | 0.00 | — | 0.00 | Sep 23, 2025 | An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing… | |||
| CVE-2024-8008 | 0.00 | — | 0.00 | Jun 2, 2025 | A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request,… | |||
| CVE-2024-7073 | 0.00 | — | 0.00 | Jun 2, 2025 | A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin services. This flaw allows unauthenticated attackers to manipulate server-side requests, enabling access to internal and external resources… | |||
| CVE-2024-7096 | 0.00 | — | 0.01 | May 30, 2025 | A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible… | |||
| CVE-2024-6914 | 0.00 | — | 0.01 | May 22, 2025 | An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account… | |||
| CVE-2023-6911 | 0.00 | — | 0.00 | Dec 18, 2023 | Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console. | |||
| CVE-2023-6835 | 0.00 | — | 0.01 | Dec 15, 2023 | Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated. |
- risk 0.40cvss 6.1epss 0.01
The Management Console in WSO2 Application Server 5.3.0, WSO2 Business Process Server 3.6.0, WSO2 Business Rules Server 2.2.0, WSO2 Complex Event Processor 4.2.0, WSO2 Dashboard Server 2.0.0, WSO2 Data Analytics Server 3.1.0, WSO2 Data Services Server 3.5.1, and WSO2 Machine…
- risk 0.32cvss 4.8epss 0.04
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter.
- CVE-2024-7097May 30, 2025risk 0.02cvss —epss 0.01
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user…
- CVE-2025-13590Feb 19, 2026risk 0.00cvss —epss 0.01
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote…
- CVE-2025-9312Nov 18, 2025risk 0.00cvss —epss 0.00
A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the…
- CVE-2025-6670Nov 18, 2025risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is…
- CVE-2025-10853Nov 5, 2025risk 0.00cvss —epss 0.00
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. …
- CVE-2025-11093Nov 5, 2025risk 0.00cvss —epss 0.00
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. …
- CVE-2025-10907Nov 5, 2025risk 0.00cvss —epss 0.00
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location…
- CVE-2025-10713Nov 5, 2025risk 0.00cvss —epss 0.00
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could…
- CVE-2025-3125Nov 5, 2025risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the…
- CVE-2025-5605Oct 24, 2025risk 0.00cvss —epss 0.01
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information…
- CVE-2025-5350Oct 24, 2025risk 0.00cvss —epss 0.01
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF).…
- CVE-2025-9804Oct 16, 2025risk 0.00cvss —epss 0.01
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing…
- CVE-2025-9955Oct 16, 2025risk 0.00cvss —epss 0.00
An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store…
- CVE-2025-10611Oct 16, 2025risk 0.00cvss —epss 0.01
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a…
- CVE-2025-5717Sep 23, 2025risk 0.00cvss —epss 0.01
An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution…
- CVE-2025-4760Sep 23, 2025risk 0.00cvss —epss 0.00
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing…
- CVE-2024-8008Jun 2, 2025risk 0.00cvss —epss 0.00
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request,…
- CVE-2024-7073Jun 2, 2025risk 0.00cvss —epss 0.00
A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin services. This flaw allows unauthenticated attackers to manipulate server-side requests, enabling access to internal and external resources…
- CVE-2024-7096May 30, 2025risk 0.00cvss —epss 0.01
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible…
- CVE-2024-6914May 22, 2025risk 0.00cvss —epss 0.01
An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account…
- CVE-2023-6911Dec 18, 2023risk 0.00cvss —epss 0.00
Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.
- CVE-2023-6835Dec 15, 2023risk 0.00cvss —epss 0.01
Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.