Wso2 Api Manager vulnerabilities
45 known vulnerabilities affecting wso2/wso2_api_manager.
Total CVEs
45
CISA KEV
0
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL8HIGH12MEDIUM25
Vulnerabilities
Page 3 of 3
CVE-2025-4760P4MEDIUMCVSS 4.8≥ 3.2.0, < 3.2.0.428≥ 3.2.1, < 3.2.1.48+5 more2025-09-23
CVE-2025-4760 [MEDIUM] CWE-79 CVE-2025-4760: An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products du
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed b
nvd
CVE-2024-3511P4MEDIUMCVSS 4.3≥ 3.1.0, < 3.1.0.273≥ 3.2.0, < 3.2.0.361+5 more2025-06-23
CVE-2024-3511 [MEDIUM] CWE-863 CVE-2024-3511: An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized a
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.
Successful exploi
nvd
CVE-2024-6429P4MEDIUMCVSS 4.3≥ 3.2.0, < 3.2.0.409≥ 3.2.1, < 3.2.1.33+5 more2025-09-23
CVE-2024-6429 [MEDIUM] CWE-451 CVE-2024-6429: A content spoofing vulnerability exists in multiple WSO2 products due to improper error message hand
A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI.
By exploiting this vulnerability, attackers can manipulate browser-displayed error m
nvd
CVE-2023-6911P4MEDIUMCVSS 4.8≥ 2.2.0.0, < 2.2.0.1≥ 2.5.0.0, < 2.5.0.1+4 more2023-12-18
CVE-2023-6911 [MEDIUM] CWE-79 CVE-2023-6911: Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored
Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.
nvd
CVE-2024-3509P4MEDIUMCVSS 4.3≥ 3.1.0, < 3.1.0.275≥ 3.2.0, < 3.2.0.392+5 more2025-06-02
CVE-2024-3509 [MEDIUM] CWE-79 CVE-2024-3509: A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2
A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section.
To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the act
nvd
← Previous3 / 3