CVE-2024-2374
published 2026-04-16CVE-2024-2374: The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This…
PriorityP354critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
0.38%
29.6th percentile
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.
By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_manager | >= 3.1.0 < 3.1.0.278 | 3.1.0.278 |
| wso2 | api_manager | >= 3.2.0 < 3.2.0.368 | 3.2.0.368 |
| wso2 | api_manager | >= 4.0.0 < 4.0.0.280 | 4.0.0.280 |
| wso2 | api_manager | >= 4.1.0 < 4.1.0.206 | 4.1.0.206 |
| wso2 | api_manager | >= 4.2.0 < 4.2.0.144 | 4.2.0.144 |
| wso2 | api_manager | >= 4.3.0 < 4.3.0.57 | 4.3.0.57 |
| wso2 | identity_server | >= 5.10.0 < 5.10.0.300 | 5.10.0.300 |
| wso2 | identity_server | >= 5.11.0 < 5.11.0.329 | 5.11.0.329 |
| wso2 | identity_server | >= 6.0.0 < 6.0.0.179 | 6.0.0.179 |
| wso2 | identity_server | >= 6.1.0 < 6.1.0.136 | 6.1.0.136 |
| wso2 | identity_server_as_key_manager | >= 5.10.0 < 5.10.0.296 | 5.10.0.296 |
| wso2 | open_banking_am | >= 2.0.0 < 2.0.0.328 | 2.0.0.328 |
| wso2 | open_banking_iam | >= 2.0.0 < 2.0.0.348 | 2.0.0.348 |
| wso2 | wso2_api_manager | >= 3.1.0 < 3.1.0.278 | 3.1.0.278 |
| wso2 | wso2_api_manager | >= 3.2.0 < 3.2.0.368 | 3.2.0.368 |
| wso2 | wso2_api_manager | >= 4.0.0 < 4.0.0.280 | 4.0.0.280 |
| wso2 | wso2_api_manager | >= 4.1.0 < 4.1.0.206 | 4.1.0.206 |
| wso2 | wso2_api_manager | >= 4.2.0 < 4.2.0.144 | 4.2.0.144 |
| wso2 | wso2_api_manager | >= 4.3.0 < 4.3.0.57 | 4.3.0.57 |
| wso2 | wso2_identity_server | >= 5.10.0 < 5.10.0.300 | 5.10.0.300 |
| wso2 | wso2_identity_server | >= 5.11.0 < 5.11.0.329 | 5.11.0.329 |
| wso2 | wso2_identity_server | >= 6.0.0 < 6.0.0.179 | 6.0.0.179 |
| wso2 | wso2_identity_server | >= 6.1.0 < 6.1.0.136 | 6.1.0.136 |
| wso2 | wso2_identity_server_as_key_manager | >= 5.10.0 < 5.10.0.296 | 5.10.0.296 |
| wso2 | wso2_open_banking_am | >= 2.0.0 < 2.0.0.328 | 2.0.0.328 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
WSO2 API Manager XML Parser xml external entity reference (EUVD-2024-27327)
vuldb·2026-04-16·CVSS 7.5
CVE-2024-2374 [HIGH] WSO2 API Manager XML Parser xml external entity reference (EUVD-2024-27327)
A vulnerability marked as problematic has been reported in WSO2 API Manager, Identity Server, Open Banking AM, Open Banking IAM and Identity Server as Key Manager. Affected by this vulnerability is an unknown functionality of the component XML Parser. This manipulation causes xml external entity reference.
This vulnerability is tracked as CVE-2024-2374. The attack is possible to be carried out remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
GHSA-98jv-r7r8-3rqm: The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entitie
ghsa_unreviewed·2026-04-16
CVE-2024-2374 [HIGH] CWE-611 GHSA-98jv-r7r8-3rqm: The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entitie
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.
By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published