Known Vulnerabilities for products from Wso2
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Wso2".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2025-12624 json | Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure t... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2025-10908 json | Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated ... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2025-10503 json | The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack ... | Not Provided | 2026-04-29 | 2026-05-01 |
| CVE-2025-10470 json | The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resourc... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2025-9973 json | Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows ... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2025-8325 json | Not Provided | 2026-05-11 | 2026-05-11 | |
| CVE-2025-8154 json | In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation ... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2025-6024 json | The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script inje... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-10242 json | The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This ... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-8010 json | The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious act... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-4867 json | The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-2374 json | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resol... | Not Provided | 2026-04-16 | 2026-04-23 |
| CVE-2024-0391 json | The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to in... | Not Provided | 2026-05-11 | 2026-05-27 |
| CVE-2023-31664 json | A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 all... | 6.1 - MEDIUM | 2023-05-23 | 2023-05-30 |
| CVE-2023-6837 json | A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 all... | 8.2 - HIGH | 2023-12-15 | 2024-01-05 |
| CVE-2022-39810 json | An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been id... | 6.1 - MEDIUM | 2022-09-09 | 2022-09-14 |
| CVE-2022-39809 json | An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been id... | 6.1 - MEDIUM | 2022-09-09 | 2022-09-14 |
| CVE-2022-29548 json | A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0... | 6.1 - MEDIUM | 2022-04-21 | 2023-11-03 |
| CVE-2022-29464 json | Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileuploa... | 9.8 - CRITICAL | 2022-04-18 | 2023-10-23 |
| CVE-2022-4521 json | A vulnerability classified as problematic has been found in WSO2 carbon-registry up to 4.8.6. This affects an unknown part of... | 6.1 - MEDIUM | 2022-12-15 | 2023-11-07 |
Known software with vulnerabilities from Wso2
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Wso2 | Api Manager | 1.0.0 |
| Application | Wso2 | Api Manager Analytics | 2.5.0 |
| Application | Wso2 | Api Microgateway | 2.2.0 |
| Application | Wso2 | Enterprise Integrator | 6.4.0 |
| Application | Wso2 | Identity Server | 1.5.0 |
| Application | Wso2 | Identity Server Analytics | 5.6.0 |
| Application | Wso2 | Identity Server As Key Manager | 5.0.0 |
| Application | Wso2 | Transport-http | 6.0.100 |