cbcvebase.
CVE-2025-10853
published 2025-11-05

CVE-2025-10853: A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering…

PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.16%
5.5th percentile
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

Affected

83 ranges· showing 25
VendorProductVersion rangeFixed in
wso2api_control_plane
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2enterprise_integrator
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server
wso2identity_server_as_key_manager
wso2open_banking_am
wso2open_banking_iam
wso2org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui>= 4.8.19 < 4.8.19.54.8.19.5
wso2org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui>= 4.8.21 < 4.8.21.94.8.21.9
wso2org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui>= 4.8.28 < 4.8.28.34.8.28.3
wso2org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui>= 4.8.30 < 4.8.30.34.8.30.3
wso2org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui>= 4.8.32 < 4.8.32.14.8.32.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.