cbcvebase.
CVE-2024-8010
published 2026-04-16

CVE-2024-8010: The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML…

PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.27%
19.0th percentile
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.

Affected

13 ranges
VendorProductVersion rangeFixed in
wso2api_manager>= 3.2.0 < 3.2.0.3973.2.0.397
wso2api_manager>= 3.2.1 < 3.2.1.273.2.1.27
wso2api_manager4.0.0 – 4.0.0.310
wso2api_manager>= 4.1.0 < 4.1.0.1714.1.0.171
wso2api_manager>= 4.2.0 < 4.2.0.1274.2.0.127
wso2api_manager>= 4.3.0 < 4.3.0.394.3.0.39
wso2wso2_api_manager>= 3.2.0 < 3.2.0.3973.2.0.397
wso2wso2_api_manager>= 3.2.1 < 3.2.1.273.2.1.27
wso2wso2_api_manager>= 4.0.0 < 4.0.0.3104.0.0.310
wso2wso2_api_manager>= 4.0.0 < 4.0.0.3194.0.0.319
wso2wso2_api_manager>= 4.1.0 < 4.1.0.1714.1.0.171
wso2wso2_api_manager>= 4.2.0 < 4.2.0.1274.2.0.127
wso2wso2_api_manager>= 4.3.0 < 4.3.0.394.3.0.39
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.