cbcvebase.
CVE-2025-10713
published 2025-11-05

CVE-2025-10713: An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses…

PriorityP357critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
0.38%
29.8th percentile
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.

Affected

46 ranges· showing 25
VendorProductVersion rangeFixed in
wso2api_control_plane
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2enterprise_integrator
wso2identity_server
wso2identity_server
wso2identity_server
wso2open_banking_am
wso2open_banking_iam
wso2org.wso2.carbon.mediation_org.wso2.carbon.localentry>= 4.7.131 < 4.7.131.214.7.131.21
wso2org.wso2.carbon.mediation_org.wso2.carbon.localentry>= 4.7.175 < 4.7.175.294.7.175.29
wso2org.wso2.carbon.mediation_org.wso2.carbon.localentry>= 4.7.188 < 4.7.188.114.7.188.11
wso2org.wso2.carbon.mediation_org.wso2.carbon.localentry>= 4.7.204 < 4.7.204.124.7.204.12
wso2org.wso2.carbon.mediation_org.wso2.carbon.localentry>= 4.7.221 < 4.7.221.64.7.221.6
wso2org.wso2.carbon.mediation_org.wso2.carbon.localentry>= 4.7.245 < 4.7.245.64.7.245.6
wso2org.wso2.carbon.mediation_org.wso2.carbon.localentry>= 4.7.30 < 4.7.30.464.7.30.46
wso2org.wso2.carbon.mediation_org.wso2.carbon.localentry>= 4.7.61 < 4.7.61.614.7.61.61
wso2org.wso2.carbon.mediation_org.wso2.carbon.localentry>= 4.7.99 < 4.7.99.3034.7.99.303
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.