cbcvebase.
CVE-2025-13590
published 2026-02-19

CVE-2025-13590: A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API…

PriorityP351high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.68%
47.6th percentile
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
wso2api_control_plane
wso2api_control_plane
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2org.wso2.carbon.apimgt_org.wso2.carbon.apimgt.impl>= 9.28.116 < 9.28.116.3919.28.116.391
wso2org.wso2.carbon.apimgt_org.wso2.carbon.apimgt.impl>= 9.29.120 < 9.29.120.2109.29.120.210
wso2org.wso2.carbon.apimgt_org.wso2.carbon.apimgt.impl>= 9.30.67 < 9.30.67.1339.30.67.133
wso2org.wso2.carbon.apimgt_org.wso2.carbon.apimgt.impl>= 9.31.86 < 9.31.86.1009.31.86.100
wso2org.wso2.carbon.apimgt_org.wso2.carbon.apimgt.impl>= 9.32.147 < 9.32.147.29.32.147.2
wso2traffic_manager
wso2traffic_manager
wso2universal_gateway
wso2universal_gateway
wso2wso2_api_control_plane>= 4.5.0 < 4.5.0.394.5.0.39
wso2wso2_api_control_plane>= 4.6.0 < 4.6.0.34.6.0.3
wso2wso2_api_manager>= 4.2.0 < 4.2.0.1794.2.0.179
wso2wso2_api_manager>= 4.3.0 < 4.3.0.914.3.0.91
wso2wso2_api_manager>= 4.4.0 < 4.4.0.554.4.0.55
wso2wso2_api_manager>= 4.5.0 < 4.5.0.384.5.0.38
wso2wso2_api_manager>= 4.6.0 < 4.6.0.34.6.0.3
wso2wso2_traffic_manager>= 4.5.0 < 4.5.0.374.5.0.37
wso2wso2_traffic_manager>= 4.6.0 < 4.6.0.34.6.0.3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.