Reflected Cross-Site Scripting via URL Parameter in Multiple WSO2 Products Enables UI Modification
Summary
| CVE | CVE-2025-8591 |
|---|---|
| State | PUBLISHED |
| Assigner | WSO2 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-06 11:16:25 UTC |
| Updated | 2026-07-09 13:04:39 UTC |
| Description | The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on session-related cookies, preventing session hijacking. |
Risk And Classification
Primary CVSS: v3.1 6.1 MEDIUM from ed10eef1-636d-4fbe-9993-6890dfa878f8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS: 0.001610000 probability, percentile 0.056810000 (date 2026-07-08)
Problem Types: CWE-79 | CWE-79 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ed10eef1-636d-4fbe-9993-6890dfa878f8 | Secondary | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| 3.1 | CNA | CVSS | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
ChangedConfidentiality
LowIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Wso2 | Api Control Plane | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | WSO2 | WSO2 Identity Server | unknown 5.10.0 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 5.10.0 5.10.0.381 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 5.10.0 5.10.0.384 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 6.0.0 6.0.0.255 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 7.0.0 7.0.0.131 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 7.1.0 7.1.0.21 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server | affected 7.1.0 7.1.0.51 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | unknown 3.1.0 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 3.1.0 3.1.0.355 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 3.2.0 3.2.0.459 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 3.2.1 3.2.1.78 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.0.0 4.0.0.380 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.1.0 4.1.0.243 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.2.0 4.2.0.183 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.3.0 4.3.0.94 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.4.0 4.4.0.58 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.5.0 4.5.0.43 custom | Not specified |
| CNA | WSO2 | WSO2 API Manager | affected 4.6.0 4.6.0.7 custom | Not specified |
| CNA | WSO2 | WSO2 API Control Plane | affected 4.5.0 4.5.0.44 custom | Not specified |
| CNA | WSO2 | WSO2 API Control Plane | affected 4.6.0 4.6.0.8 custom | Not specified |
| CNA | WSO2 | WSO2 Traffic Manager | affected 4.5.0 4.5.0.42 custom | Not specified |
| CNA | WSO2 | WSO2 Traffic Manager | affected 4.6.0 4.6.0.7 custom | Not specified |
| CNA | WSO2 | WSO2 Universal Gateway | affected 4.5.0 4.5.0.42 custom | Not specified |
| CNA | WSO2 | WSO2 Universal Gateway | affected 4.6.0 4.6.0.7 custom | Not specified |
| CNA | WSO2 | WSO2 Open Banking AM | unknown 2.0.0 custom | Not specified |
| CNA | WSO2 | WSO2 Open Banking AM | affected 2.0.0 2.0.0.404 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server As Key Manager | unknown 5.10.0 custom | Not specified |
| CNA | WSO2 | WSO2 Identity Server As Key Manager | affected 5.10.0 5.10.0.375 custom | Not specified |
| CNA | WSO2 | WSO2 Open Banking IAM | unknown 2.0.0 custom | Not specified |
| CNA | WSO2 | WSO2 Open Banking IAM | affected 2.0.0 2.0.0.424 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO... | ed10eef1-636d-4fbe-9993-6890dfa878f8 | security.docs.wso2.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4343/#solution
There are currently no legacy QID mappings associated with this CVE.