cbcvebase.
CVE-2025-6024
published 2026-04-16

CVE-2025-6024: The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage…

PriorityP430medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.23%
13.7th percentile
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.

Affected

14 ranges
VendorProductVersion rangeFixed in
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2api_manager
wso2identity_server
wso2identity_server
wso2wso2_api_manager>= 3.1.0 < 3.1.0.3513.1.0.351
wso2wso2_api_manager>= 3.2.0 < 3.2.0.4553.2.0.455
wso2wso2_api_manager>= 3.2.1 < 3.2.1.743.2.1.74
wso2wso2_api_manager>= 4.0.0 < 4.0.0.3754.0.0.375
wso2wso2_api_manager>= 4.1.0 < 4.1.0.2384.1.0.238
wso2wso2_identity_server>= 5.10.0 < 5.10.0.3605.10.0.360
wso2wso2_identity_server>= 5.11.0 < 5.11.0.4055.11.0.405
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.