cbcvebase.
CVE-2025-4760
published 2025-09-23

CVE-2025-4760: An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API…

PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.17%
7.0th percentile
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

Affected

34 ranges· showing 25
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 0 < 5.4.3015.4.301
linuxlinux_kernel>= 5.11.0 < 5.15.1955.15.195
linuxlinux_kernel>= 5.16.0 < 6.1.1566.1.156
linuxlinux_kernel>= 5.5.0 < 5.10.2465.10.246
linuxlinux_kernel>= 6.13.0 < 6.17.36.17.3
linuxlinux_kernel>= 6.2.0 < 6.6.1126.6.112
linuxlinux_kernel>= 6.7.0 < 6.12.536.12.53
wso2api_control_plane
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2traffic_manager
wso2universal_gateway
wso2wso2_api_control_plane>= 4.5.0 < 4.5.0.84.5.0.8
wso2wso2_api_manager>= 3.2.0 < 3.2.0.4283.2.0.428
wso2wso2_api_manager>= 3.2.1 < 3.2.1.483.2.1.48
wso2wso2_api_manager>= 4.1.0 < 4.1.0.2094.1.0.209
wso2wso2_api_manager>= 4.2.0 < 4.2.0.1454.2.0.145
wso2wso2_api_manager>= 4.3.0 < 4.3.0.604.3.0.60
wso2wso2_api_manager>= 4.4.0 < 4.4.0.234.4.0.23
wso2wso2_api_manager>= 4.5.0 < 4.5.0.74.5.0.7

CVSS provenance

nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.