CVE-2025-13590
published 2026-02-19CVE-2025-13590: A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API…
PriorityP351high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.68%
47.6th percentile
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_control_plane | — | — |
| wso2 | api_control_plane | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | org.wso2.carbon.apimgt_org.wso2.carbon.apimgt.impl | >= 9.28.116 < 9.28.116.391 | 9.28.116.391 |
| wso2 | org.wso2.carbon.apimgt_org.wso2.carbon.apimgt.impl | >= 9.29.120 < 9.29.120.210 | 9.29.120.210 |
| wso2 | org.wso2.carbon.apimgt_org.wso2.carbon.apimgt.impl | >= 9.30.67 < 9.30.67.133 | 9.30.67.133 |
| wso2 | org.wso2.carbon.apimgt_org.wso2.carbon.apimgt.impl | >= 9.31.86 < 9.31.86.100 | 9.31.86.100 |
| wso2 | org.wso2.carbon.apimgt_org.wso2.carbon.apimgt.impl | >= 9.32.147 < 9.32.147.2 | 9.32.147.2 |
| wso2 | traffic_manager | — | — |
| wso2 | traffic_manager | — | — |
| wso2 | universal_gateway | — | — |
| wso2 | universal_gateway | — | — |
| wso2 | wso2_api_control_plane | >= 4.5.0 < 4.5.0.39 | 4.5.0.39 |
| wso2 | wso2_api_control_plane | >= 4.6.0 < 4.6.0.3 | 4.6.0.3 |
| wso2 | wso2_api_manager | >= 4.2.0 < 4.2.0.179 | 4.2.0.179 |
| wso2 | wso2_api_manager | >= 4.3.0 < 4.3.0.91 | 4.3.0.91 |
| wso2 | wso2_api_manager | >= 4.4.0 < 4.4.0.55 | 4.4.0.55 |
| wso2 | wso2_api_manager | >= 4.5.0 < 4.5.0.38 | 4.5.0.38 |
| wso2 | wso2_api_manager | >= 4.6.0 < 4.6.0.3 | 4.6.0.3 |
| wso2 | wso2_traffic_manager | >= 4.5.0 < 4.5.0.37 | 4.5.0.37 |
| wso2 | wso2_traffic_manager | >= 4.6.0 < 4.6.0.3 | 4.6.0.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
WSO2 API Manager unrestricted upload
vuldb·2026-06-21·CVSS 7.2
CVE-2025-13590 [HIGH] WSO2 API Manager unrestricted upload
A vulnerability was found in WSO2 API Manager, API Control Plane, Universal Gateway, Traffic Manager and org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl. It has been classified as critical. This issue affects some unknown processing. The manipulation leads to unrestricted upload.
This vulnerability is uniquely identified as CVE-2025-13590. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is recommended.
GHSA
carbon-apimgt does not properly restrict uploaded files
ghsa·2026-02-19
CVE-2025-13590 [CRITICAL] CWE-434 carbon-apimgt does not properly restrict uploaded files
carbon-apimgt does not properly restrict uploaded files
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
OSV
carbon-apimgt does not properly restrict uploaded files
osv·2026-02-19
CVE-2025-13590 [CRITICAL] carbon-apimgt does not properly restrict uploaded files
carbon-apimgt does not properly restrict uploaded files
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2024-1524 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2024-1524 [HIGH] CVE-2024-1524 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-1524 :
WSO2 API Manager vulnerability analysis and mitigation
When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users.
There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control.
The Deployment should have:
-An IDP configured for federated authentication with Silent JIT provisioning enabled.
The malicious actor should have:
-A fre
Wiz
CVE-2025-13590 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-13590 [CRITICAL] CVE-2025-13590 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13590 :
Java vulnerability analysis and mitigation
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
Source : NVD
## 7.2
Score
Published February 19, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Java
WSO2 API Manager
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:wso2:api_manager
org.wso2.carbon.a
Bugzilla
CVE-2021-47670 kernel: can: peak_usb: fix use after free bugs
bugzilla·2025-04-17·CVSS 7.8
CVE-2021-47670 [HIGH] CVE-2021-47670 kernel: can: peak_usb: fix use after free bugs
CVE-2021-47670 kernel: can: peak_usb: fix use after free bugs
In the Linux kernel, the following vulnerability has been resolved:
can: peak_usb: fix use after free bugs
After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is accessed
after the peak_usb_netif_rx_ni().
Reordering the lines solves the issue.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025041734-CVE-2021-47670-2b77@gregkh/T
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:13590 https://access.redhat.com/errata/RHSA-2025:13590
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:13589 https://access.redhat.com/err
2026-02-19
Published