Known Vulnerabilities for products from WSO2
Listed below are 20 of the newest known vulnerabilities associated with the vendor "WSO2".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2025-12624 json | Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure t... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2025-10503 json | The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack ... | Not Provided | 2026-04-29 | 2026-05-01 |
| CVE-2025-9973 json | Not Provided | 2026-05-11 | 2026-05-11 | |
| CVE-2025-8325 json | Not Provided | 2026-05-11 | 2026-05-11 | |
| CVE-2025-6024 json | The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script inje... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-10242 json | The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This ... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-8010 json | The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious act... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-4867 json | The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-2374 json | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resol... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2023-31664 json | A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 all... | 6.1 - MEDIUM | 2023-05-23 | 2023-05-30 |
| CVE-2023-6837 json | A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 all... | 8.2 - HIGH | 2023-12-15 | 2024-01-05 |
| CVE-2022-39810 json | An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been id... | 6.1 - MEDIUM | 2022-09-09 | 2022-09-14 |
| CVE-2022-39809 json | An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been id... | 6.1 - MEDIUM | 2022-09-09 | 2022-09-14 |
| CVE-2022-29548 json | A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0... | 6.1 - MEDIUM | 2022-04-21 | 2023-11-03 |
| CVE-2022-29464 json | Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileuploa... | 9.8 - CRITICAL | 2022-04-18 | 2023-10-23 |
| CVE-2022-4521 json | A vulnerability classified as problematic has been found in WSO2 carbon-registry up to 4.8.6. This affects an unknown part of... | 6.1 - MEDIUM | 2022-12-15 | 2023-11-07 |
| CVE-2022-4520 json | A vulnerability was found in WSO2 carbon-registry up to 4.8.11. It has been rated as problematic. Affected by this issue is s... | 6.1 - MEDIUM | 2022-12-15 | 2023-11-07 |
| CVE-2021-42646 json | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new secur... | 9.1 - CRITICAL | 2022-05-11 | 2024-01-11 |
| CVE-2021-36760 json | In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack... | 6.1 - MEDIUM | 2021-12-07 | 2021-12-09 |
| CVE-2020-27885 json | Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the at... | 6.1 - MEDIUM | 2020-10-29 | 2020-11-03 |
Known software with vulnerabilities from WSO2
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Wso2 | Api Manager | 1.0.0 |
| Application | Wso2 | Api Manager Analytics | 2.5.0 |
| Application | Wso2 | Api Microgateway | 2.2.0 |
| Application | Wso2 | Enterprise Integrator | 6.4.0 |
| Application | Wso2 | Identity Server | 1.5.0 |
| Application | Wso2 | Identity Server Analytics | 5.6.0 |
| Application | Wso2 | Identity Server As Key Manager | 5.0.0 |
| Application | Wso2 | Transport-http | 6.0.100 |