Known Vulnerabilities for products from WSO2

Listed below are 20 of the newest known vulnerabilities associated with the vendor "WSO2".

These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.

Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.

Known Vulnerabilities

CVE Shortened Description Severity Publish Date Last Modified
CVE-2026-4249 json The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient vali... Not Provided 2026-07-06 2026-07-09
CVE-2026-2053 json The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restr... Not Provided 2026-06-26 2026-06-27
CVE-2025-13590 json A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deploy... Not Provided 2026-02-19 2026-06-18
CVE-2025-13475 json In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between... Not Provided 2026-07-04 2026-07-09
CVE-2025-12624 json Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure t... Not Provided 2026-04-16 2026-04-23
CVE-2025-10908 json Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated ... Not Provided 2026-05-11 2026-05-27
CVE-2025-10503 json The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack ... Not Provided 2026-04-29 2026-05-01
CVE-2025-10470 json The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resourc... Not Provided 2026-05-11 2026-05-27
CVE-2025-9973 json Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows ... Not Provided 2026-05-11 2026-05-27
CVE-2025-8591 json The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to th... Not Provided 2026-07-06 2026-07-09
CVE-2025-8325 json The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyo... Not Provided 2026-05-11 2026-05-27
CVE-2025-8154 json In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation ... Not Provided 2026-05-11 2026-05-27
CVE-2025-6024 json The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script inje... Not Provided 2026-04-16 2026-04-23
CVE-2024-10242 json The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This ... Not Provided 2026-04-16 2026-04-23
CVE-2024-8010 json The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious act... Not Provided 2026-04-16 2026-04-23
CVE-2024-4867 json The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper... Not Provided 2026-04-16 2026-04-23
CVE-2024-2374 json The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resol... Not Provided 2026-04-16 2026-04-23
CVE-2024-1248 json The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate us... Not Provided 2026-07-04 2026-07-09
CVE-2024-0391 json The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to in... Not Provided 2026-05-11 2026-05-27
CVE-2023-31664 json A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 all... 6.1 - MEDIUM 2023-05-23 2023-05-30

Known software with vulnerabilities from WSO2

Type Vendor Product Version
ApplicationWso2Api Manager1.0.0
ApplicationWso2Api Manager Analytics2.5.0
ApplicationWso2Api Microgateway2.2.0
ApplicationWso2Enterprise Integrator6.4.0
ApplicationWso2Identity Server1.5.0
ApplicationWso2Identity Server Analytics5.6.0
ApplicationWso2Identity Server As Key Manager5.0.0
ApplicationWso2Transport-http6.0.100
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report