Known Vulnerabilities for products from WSO2
Listed below are 20 of the newest known vulnerabilities associated with the vendor "WSO2".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-4249 json | The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient vali... | Not Provided | 2026-07-06 | 2026-07-09 |
| CVE-2026-2053 json | The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restr... | Not Provided | 2026-06-26 | 2026-06-27 |
| CVE-2025-13590 json | A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deploy... | Not Provided | 2026-02-19 | 2026-06-18 |
| CVE-2025-13475 json | In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between... | Not Provided | 2026-07-04 | 2026-07-09 |
| CVE-2025-12624 json | Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure t... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2025-10908 json | Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated ... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2025-10503 json | The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack ... | Not Provided | 2026-04-29 | 2026-05-01 |
| CVE-2025-10470 json | The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resourc... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2025-9973 json | Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows ... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2025-8591 json | The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to th... | Not Provided | 2026-07-06 | 2026-07-09 |
| CVE-2025-8325 json | The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyo... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2025-8154 json | In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation ... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2025-6024 json | The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script inje... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-10242 json | The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This ... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-8010 json | The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious act... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-4867 json | The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-2374 json | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resol... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-1248 json | The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate us... | Not Provided | 2026-07-04 | 2026-07-09 |
| CVE-2024-0391 json | The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to in... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2023-31664 json | A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 all... | 6.1 - MEDIUM | 2023-05-23 | 2023-05-30 |
Known software with vulnerabilities from WSO2
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Wso2 | Api Manager | 1.0.0 |
| Application | Wso2 | Api Manager Analytics | 2.5.0 |
| Application | Wso2 | Api Microgateway | 2.2.0 |
| Application | Wso2 | Enterprise Integrator | 6.4.0 |
| Application | Wso2 | Identity Server | 1.5.0 |
| Application | Wso2 | Identity Server Analytics | 5.6.0 |
| Application | Wso2 | Identity Server As Key Manager | 5.0.0 |
| Application | Wso2 | Transport-http | 6.0.100 |