cbcvebase.
CVE-2025-8154
published 2026-05-11

CVE-2025-8154: In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these…

PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.19%
8.3th percentile
In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
wso2api_control_plane>= 4.5.0 < 4.5.0.214.5.0.21
wso2api_manager>= 4.1.0 < 4.1.0.2184.1.0.218
wso2api_manager>= 4.2.0 < 4.2.0.1644.2.0.164
wso2api_manager>= 4.3.0 < 4.3.0.744.3.0.74
wso2api_manager>= 4.4.0 < 4.4.0.384.4.0.38
wso2api_manager>= 4.5.0 < 4.5.0.204.5.0.20
wso2traffic_manager>= 4.5.0 < 4.5.0.194.5.0.19
wso2universal_gateway>= 4.5.0 < 4.5.0.194.5.0.19
wso2wso2_api_control_plane>= 4.5.0 < 4.5.0.214.5.0.21
wso2wso2_api_manager>= 4.1.0 < 4.1.0.2184.1.0.218
wso2wso2_api_manager>= 4.2.0 < 4.2.0.1644.2.0.164
wso2wso2_api_manager>= 4.3.0 < 4.3.0.744.3.0.74
wso2wso2_api_manager>= 4.4.0 < 4.4.0.384.4.0.38
wso2wso2_api_manager>= 4.5.0 < 4.5.0.204.5.0.20
wso2wso2_carbon_api_gateway>= 9.20.74 < 9.20.74.3749.20.74.374
wso2wso2_carbon_api_gateway>= 9.28.116 < 9.28.116.3639.28.116.363
wso2wso2_carbon_api_gateway>= 9.29.120 < 9.29.120.1819.29.120.181
wso2wso2_carbon_api_gateway>= 9.30.67 < 9.30.67.1049.30.67.104
wso2wso2_carbon_api_gateway>= 9.31.86 < 9.31.86.649.31.86.64
wso2wso2_carbon_api_management_implementation>= 9.20.74 < 9.20.74.3749.20.74.374
wso2wso2_carbon_api_management_implementation>= 9.28.116 < 9.28.116.3639.28.116.363
wso2wso2_carbon_api_management_implementation>= 9.29.120 < 9.29.120.1819.29.120.181
wso2wso2_carbon_api_management_implementation>= 9.30.67 < 9.30.67.1049.30.67.104
wso2wso2_carbon_api_management_implementation>= 9.31.86 < 9.31.86.649.31.86.64
wso2wso2_traffic_manager>= 4.5.0 < 4.5.0.194.5.0.19
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.