CVE-2025-6024
published 2026-04-16CVE-2025-6024: The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage…
PriorityP430medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.23%
13.7th percentile
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | wso2_api_manager | >= 3.1.0 < 3.1.0.351 | 3.1.0.351 |
| wso2 | wso2_api_manager | >= 3.2.0 < 3.2.0.455 | 3.2.0.455 |
| wso2 | wso2_api_manager | >= 3.2.1 < 3.2.1.74 | 3.2.1.74 |
| wso2 | wso2_api_manager | >= 4.0.0 < 4.0.0.375 | 4.0.0.375 |
| wso2 | wso2_api_manager | >= 4.1.0 < 4.1.0.238 | 4.1.0.238 |
| wso2 | wso2_identity_server | >= 5.10.0 < 5.10.0.360 | 5.10.0.360 |
| wso2 | wso2_identity_server | >= 5.11.0 < 5.11.0.405 | 5.11.0.405 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ppc7-gg9m-7hwq: The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection
ghsa_unreviewed·2026-04-16
CVE-2025-6024 [MEDIUM] CWE-79 GHSA-ppc7-gg9m-7hwq: The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.
VulDB
WSO2 API Manager/Identity Server Authentication Endpoint cross site scripting (EUVD-2025-209497)
vuldb·2026-04-16·CVSS 6.1
CVE-2025-6024 [MEDIUM] WSO2 API Manager/Identity Server Authentication Endpoint cross site scripting (EUVD-2025-209497)
A vulnerability, which was classified as problematic, has been found in WSO2 API Manager and Identity Server. This issue affects some unknown processing of the component Authentication Endpoint. The manipulation leads to cross site scripting.
This vulnerability is documented as CVE-2025-6024. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published