Wso2 Api Manager vulnerabilities
45 known vulnerabilities affecting wso2/wso2_api_manager.
Total CVEs
45
CISA KEV
0
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL8HIGH12MEDIUM25
Vulnerabilities
Page 2 of 3
CVE-2024-8010P3HIGHCVSS 7.5≥ 3.2.0, < 3.2.0.397≥ 3.2.1, < 3.2.1.27+5 more2026-04-16
CVE-2024-8010 [HIGH] CWE-611 CVE-2024-8010: The component accepts XML input through the publisher without disabling external entity resolution.
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.
By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP reso
nvd
CVE-2025-6670P3HIGHCVSS 8.8≥ 3.1.0, < 3.1.0.349≥ 3.2.0, < 3.2.0.453+8 more2025-11-18
CVE-2025-6670 [HIGH] CWE-352 CVE-2025-6670: A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows co
nvd
CVE-2025-8154P3HIGHCVSS 7.5≥ 4.1.0, < 4.1.0.218≥ 4.2.0, < 4.2.0.164+3 more2026-05-11
CVE-2025-8154 [HIGH] CWE-74 CVE-2025-8154: In Webhook API invocations, the component accepts user-supplied input for HTTP request headers witho
In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses.
By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, inc
nvd
CVE-2025-9804P3MEDIUMCVSS 6.5≥ 2.0.0, < 2.0.0.31≥ 2.1.0, < 2.1.0.40+13 more2025-10-16
CVE-2025-9804 [MEDIUM] CWE-284 CVE-2025-9804: An improper access control vulnerability exists in multiple WSO2 products due to insufficient permis
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal admini
nvd
CVE-2023-6836P3HIGHCVSS 7.5≥ 3.0.0.0, < 3.0.0.12023-12-15
CVE-2023-6836 [HIGH] CWE-611 CVE-2023-6836: Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
nvd
CVE-2024-4598P3MEDIUMCVSS 6.5≥ 3.2.0, < 3.2.0.422≥ 3.2.1, < 3.2.1.42+2 more2025-09-23
CVE-2024-4598 [MEDIUM] CWE-1259 CVE-2024-4598: An information disclosure vulnerability exists in multiple WSO2 products due to improper implementat
An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions.
This vulnerability does not impact user crede
nvd
CVE-2024-2321P4MEDIUMCVSS 5.6≥ 4.0.0, < 4.0.0.275≥ 4.1.0, < 4.1.0.153+1 more2025-02-27
CVE-2024-2321 [MEDIUM] CWE-863 CVE-2024-2321: An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs t
An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations.
Exploitation requi
nvd
CVE-2025-6024P4MEDIUMCVSS 6.1≥ 3.1.0, < 3.1.0.351≥ 3.2.0, < 3.2.0.455+3 more2026-04-16
CVE-2025-6024 [MEDIUM] CWE-79 CVE-2025-6024: The authentication endpoint fails to encode user-supplied input before rendering it in the web page,
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, o
nvd
CVE-2024-10242P4MEDIUMCVSS 6.1≥ 3.2.0, < 3.2.0.401≥ 4.0.0, < 4.0.0.3182026-04-16
CVE-2024-10242 [MEDIUM] CWE-79 CVE-2024-10242: The authentication endpoint fails to adequately validate user-supplied input before reflecting it ba
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser.
Successful exploitation can enable an attacker to redirect the user's browser to a malicious we
nvd
CVE-2024-1440P4MEDIUMCVSS 6.1≥ 3.1.0, < 3.1.0.262≥ 3.2.0, < 3.2.0.344+1 more2025-06-02
CVE-2024-1440 [MEDIUM] CWE-601 CVE-2024-1440: An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the
An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site.
By exploiting this vulnerability, an attacker may trick users in
nvd
CVE-2024-7096P4MEDIUMCVSS 5.4≥ 2.0.0, < 2.0.0.29≥ 2.1.0, < 2.1.0.39+11 more2025-05-30
CVE-2024-7096 [MEDIUM] CWE-863 CVE-2024-7096: A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw i
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met:
* SOAP admin services are accessible to the attacker.
* The deployment includes an internally used attribute that
nvd
CVE-2023-6838P4MEDIUMCVSS 6.1≥ 3.1.0.0, < 3.1.0.14≥ 3.2.0.0, < 3.2.0.102023-12-15
CVE-2023-6838 [MEDIUM] CWE-79 CVE-2023-6838: Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endp
Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.
nvd
CVE-2024-5962P4MEDIUMCVSS 6.1≥ 4.2.0, < 4.2.0.94≥ 4.3.0, < 4.3.0.92025-05-22
CVE-2024-5962 [MEDIUM] CWE-79 CVE-2024-5962: A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multip
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multiple WSO2 products due to missing output encoding of user-supplied input. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the authentication flow, potentially leading to UI modifications, redirections to malicious websi
nvd
CVE-2025-5770P4MEDIUMCVSS 6.1≥ 4.2.0, < 4.2.0.150≥ 4.3.0, < 4.3.0.63+2 more2025-11-05
CVE-2025-5770 [MEDIUM] CWE-79 CVE-2025-5770: A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multi
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks.
Exploitation may result in redirec
nvd
CVE-2023-6835P4MEDIUMCVSS 5.3≥ 2.2.0.0, < 2.2.0.16≥ 2.5.0.0, < 2.5.0.17+1 more2023-12-15
CVE-2023-6835 [MEDIUM] CWE-20 CVE-2023-6835: Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validatio
Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.
nvd
CVE-2024-5848P4MEDIUMCVSS 6.1≥ 3.1.0, < 3.1.0.285≥ 3.2.0, < 3.2.0.375+5 more2025-02-27
CVE-2024-5848 [MEDIUM] CWE-79 CVE-2024-5848: A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to imprope
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious JavaScript.
Successful exploitation could lead to UI mani
nvd
CVE-2025-10853P4MEDIUMCVSS 6.1≥ 3.1.0, < 3.1.0.344≥ 3.2.0, < 3.2.0.445+7 more2025-11-05
CVE-2025-10853 [MEDIUM] CWE-79 CVE-2025-10853: A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WS
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.
Successful exploitation could result in UI manipulation, redirection to
nvd
CVE-2024-4867P4MEDIUMCVSS 5.4≥ 3.2.0, < 3.2.0.408≥ 3.2.1, < 3.2.1.32+2 more2026-04-16
CVE-2024-4867 [MEDIUM] CWE-79 CVE-2024-4867: The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validat
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser.
By leveraging this cross-site scripting vulnerability, a malicious actor can cause the
nvd
CVE-2023-6839P4MEDIUMCVSS 5.3≥ 3.0.0.0, < 3.0.0.15≥ 3.2.0.0, < 3.2.0.322023-12-15
CVE-2023-6839 [MEDIUM] CWE-209 CVE-2023-6839: Due to improper error handling, a REST API resource could expose a server side error containing an i
Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.
nvd
CVE-2024-8008P4MEDIUMCVSS 5.2≥ 3.1.0, < 3.1.0.305≥ 3.2.0, < 3.2.0.396+7 more2025-06-02
CVE-2024-8008 [MEDIUM] CWE-79 CVE-2024-8008: A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insuffi
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the v
nvd