cbcvebase.

Wso2 Api Manager vulnerabilities

79 known vulnerabilities affecting wso2/api_manager.

Total CVEs
79
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
5
Severity breakdown
CRITICAL13HIGH15MEDIUM51

Vulnerabilities

Page 1 of 4
CVE-2022-29464P1CRITICALCVSS 9.8KEVPoCRansomware≥ 2.2.0, ≤ 4.0.02022-04-18
CVE-2022-29464 [CRITICAL] CWE-22 CVE-2022-29464: Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attac Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0
nvd
CVE-2020-24589P1CRITICALCVSS 9.1ExploitedPoC≤ 3.1.02020-08-21
CVE-2020-24589 [CRITICAL] CWE-611 CVE-2020-24589: The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Exter The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.
nvd
CVE-2025-5605P1MEDIUMCVSS 5.3ExploitedPoCv3.1.0v3.2.0+7 more2025-10-24
CVE-2025-5605 [MEDIUM] CWE-290 CVE-2025-5605: An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics
nvd
CVE-2020-17453P2MEDIUMCVSS 6.1ExploitedPoC≤ 3.2.02021-04-05
CVE-2020-17453 [MEDIUM] CWE-79 CVE-2020-17453: WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter. WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
nvd
CVE-2024-7097P2MEDIUMCVSS 4.3ExploitedPoCv2.1.0v2.2.0+10 more2025-05-30
CVE-2024-7097 [MEDIUM] CWE-863 CVE-2024-7097: An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an
nvd
CVE-2022-29548P3MEDIUMCVSS 6.1PoCv2.2.0v2.5.0+5 more2022-04-21
CVE-2022-29548 [MEDIUM] CWE-79 CVE-2022-29548: A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Ma A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0,
nvd
CVE-2026-2053P2CRITICALCVSS 10.0≥ 3.1.0, < 3.1.0.360≥ 3.2.0, < 3.2.0.465+3 more2026-06-26
CVE-2026-2053 [CRITICAL] CWE-918 CVE-2026-2053: The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not suffi The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated requests. Successful exploitation allows an unauthent
nvd
CVE-2025-9312P2CRITICALCVSS 9.8v2.2.0v2.5.0+11 more2025-11-18
CVE-2025-9312 [CRITICAL] CWE-306 CVE-2025-9312: A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation us A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is
nvd
CVE-2025-10611P2CRITICALCVSS 9.8v2.1.0v2.2.0+12 more2025-10-16
CVE-2025-10611 [CRITICAL] CWE-863 CVE-2025-10611: Due to an insufficient access control implementation in multiple WSO2 Products, authentication and a Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthentic
nvd
CVE-2025-9152P2CRITICALCVSS 9.8v3.2.0v3.2.1+6 more2025-10-16
CVE-2025-9152 [CRITICAL] CWE-306 CVE-2025-9152: An improper privilege management vulnerability exists in WSO2 API Manager due to missing authenticat An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the abil
nvd
CVE-2024-6914P2CRITICALCVSS 9.8v2.2.0v2.5.0+9 more2025-05-22
CVE-2024-6914 [CRITICAL] CWE-863 CVE-2024-6914: An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic fl An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability
nvd
CVE-2025-10713P3CRITICALCVSS 9.1v3.1.0v3.2.0+7 more2025-11-05
CVE-2025-10713 [CRITICAL] CWE-611 CVE-2025-10713: An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configur An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote, unauthenticated attacker to read sensitive files from t
nvd
CVE-2025-2905P3CRITICALCVSS 9.1≤ 2.0.02025-05-05
CVE-2025-2905 [CRITICAL] CWE-611 CVE-2025-2905: Due to the improper configuration of XML parser, user-supplied XML is parsed without applying suffic Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (D
nvd
CVE-2025-8325P3HIGHCVSS 8.8≥ 3.2.0, < 3.2.0.435≥ 3.2.1, < 3.2.1.55+6 more2026-05-11
CVE-2025-8325 [HIGH] CWE-281 CVE-2025-8325: The software fails to enforce role-based access controls for certain Gateway API invocations. Users The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on
nvd
CVE-2024-2374P3CRITICALCVSS 9.1≥ 3.1.0, < 3.1.0.278≥ 3.2.0, < 3.2.0.368+4 more2026-04-16
CVE-2024-2374 [CRITICAL] CWE-611 CVE-2024-2374: The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configu The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can rea
nvd
CVE-2020-13226P3CRITICALCVSS 9.8v3.0.02020-05-20
CVE-2020-13226 [CRITICAL] CWE-918 CVE-2020-13226: WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, ope WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this node's entire intranet.
nvd
CVE-2025-10907P3HIGHCVSS 7.2v3.1.0v3.2.0+7 more2025-11-05
CVE-2025-10907 [HIGH] CWE-434 CVE-2025-10907: An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validati An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment. Successful exploitation may lead to remote code exe
nvd
CVE-2021-42646P3CRITICALCVSS 9.1v2.6.0v3.0.0+3 more2022-05-11
CVE-2021-42646 [CRITICAL] CWE-611 CVE-2021-42646: XML External Entity (XXE) vulnerability in the file based service provider creation feature of the M XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive inf
nvd
CVE-2025-3125P3HIGHCVSS 7.2v3.2.0v3.2.1+6 more2025-11-05
CVE-2025-3125 [HIGH] CWE-434 CVE-2025-3125: An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input valida An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is
nvd
CVE-2025-13590P3HIGHCVSS 7.2v4.2.0v4.3.0+3 more2026-02-19
CVE-2025-13590 [HIGH] CWE-434 CVE-2025-13590: A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled l A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
nvd