CVE-2025-10503
published 2026-04-29CVE-2025-10503: The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.17%
7.0th percentile
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting.
An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | identity_server | >= 7.1.0 < 7.1.0.28 | 7.1.0.28 |
| wso2 | wso2_identity_server | >= 7.1.0 < 7.1.0.28 | 7.1.0.28 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
WSO2 Identity Server up to 7.0.0.87 Authentication Endpoint cross site scripting (CNNVD-202604-5694)
vuldb·2026-05-05·CVSS 6.1
CVE-2025-10503 [MEDIUM] WSO2 Identity Server up to 7.0.0.87 Authentication Endpoint cross site scripting (CNNVD-202604-5694)
A vulnerability was found in WSO2 Identity Server. It has been declared as problematic. This issue affects some unknown processing of the component Authentication Endpoint. Executing a manipulation can lead to cross site scripting.
This vulnerability is registered as CVE-2025-10503. It is possible to launch the attack remotely. No exploit is available.
It is recommended to upgrade the affected component.
GHSA
GHSA-6pqq-8j74-wgg5: The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding
ghsa_unreviewed·2026-04-29
CVE-2025-10503 [MEDIUM] CWE-79 GHSA-6pqq-8j74-wgg5: The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting.
An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-29
Published