CVE-2024-8010
published 2026-04-16CVE-2024-8010: The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.27%
19.0th percentile
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.
By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_manager | >= 3.2.0 < 3.2.0.397 | 3.2.0.397 |
| wso2 | api_manager | >= 3.2.1 < 3.2.1.27 | 3.2.1.27 |
| wso2 | api_manager | 4.0.0 – 4.0.0.310 | — |
| wso2 | api_manager | >= 4.1.0 < 4.1.0.171 | 4.1.0.171 |
| wso2 | api_manager | >= 4.2.0 < 4.2.0.127 | 4.2.0.127 |
| wso2 | api_manager | >= 4.3.0 < 4.3.0.39 | 4.3.0.39 |
| wso2 | wso2_api_manager | >= 3.2.0 < 3.2.0.397 | 3.2.0.397 |
| wso2 | wso2_api_manager | >= 3.2.1 < 3.2.1.27 | 3.2.1.27 |
| wso2 | wso2_api_manager | >= 4.0.0 < 4.0.0.310 | 4.0.0.310 |
| wso2 | wso2_api_manager | >= 4.0.0 < 4.0.0.319 | 4.0.0.319 |
| wso2 | wso2_api_manager | >= 4.1.0 < 4.1.0.171 | 4.1.0.171 |
| wso2 | wso2_api_manager | >= 4.2.0 < 4.2.0.127 | 4.2.0.127 |
| wso2 | wso2_api_manager | >= 4.3.0 < 4.3.0.39 | 4.3.0.39 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4fxw-3p35-q323: The component accepts XML input through the publisher without disabling external entity resolution
ghsa_unreviewed·2026-04-16
CVE-2024-8010 [LOW] CWE-611 GHSA-4fxw-3p35-q323: The component accepts XML input through the publisher without disabling external entity resolution
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.
By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
VulDB
WSO2 API Manager prior 4.3.0.39 Publisher xml external entity reference (EUVD-2024-55549)
vuldb·2026-04-16·CVSS 3.5
CVE-2024-8010 [LOW] WSO2 API Manager prior 4.3.0.39 Publisher xml external entity reference (EUVD-2024-55549)
A vulnerability classified as problematic has been found in WSO2 API Manager. This affects an unknown part of the component Publisher. Performing a manipulation results in xml external entity reference.
This vulnerability is cataloged as CVE-2024-8010. The attack must originate from the local network. There is no exploit available.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published