CVE-2025-8154 HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation

🗓️ 11 May 2026 09:30:36Reported by WSO2Type

CVE 2025 8154: Webhook service allows HTTP header injection via user input.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2025-8154	11 May 202609:30	–	attackerkb
Circl	CVE-2025-8154	11 May 202611:33	–	circl
CNNVD	WSO2多款产品注入漏洞	11 May 202600:00	–	cnnvd
CVE	CVE-2025-8154	11 May 202609:30	–	cve
EUVD	EUVD-2025-209758	11 May 202612:32	–	euvd
NVD	CVE-2025-8154	11 May 202610:16	–	nvd
Positive Technologies	PT-2026-39583	11 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2025-8154	5 Jun 202619:40	–	redhatcve
Vulnrichment	CVE-2025-8154 HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation	11 May 202609:30	–	vulnrichment

[
  {
    "vendor": "WSO2",
    "product": "WSO2 API Manager",
    "versions": [
      {
        "status": "unknown",
        "version": "0",
        "lessThan": "4.1.0",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "4.1.0",
        "lessThan": "4.1.0.218",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "4.2.0",
        "lessThan": "4.2.0.164",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "4.3.0",
        "lessThan": "4.3.0.74",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "4.4.0",
        "lessThan": "4.4.0.38",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "4.5.0",
        "lessThan": "4.5.0.20",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "WSO2",
    "product": "WSO2 Universal Gateway",
    "versions": [
      {
        "status": "affected",
        "version": "4.5.0",
        "lessThan": "4.5.0.19",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "WSO2",
    "product": "WSO2 Traffic Manager",
    "versions": [
      {
        "status": "affected",
        "version": "4.5.0",
        "lessThan": "4.5.0.19",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "WSO2",
    "product": "WSO2 API Control Plane",
    "versions": [
      {
        "status": "affected",
        "version": "4.5.0",
        "lessThan": "4.5.0.21",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "WSO2",
    "product": "WSO2 Carbon API Gateway",
    "packageName": "org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.gateway",
    "versions": [
      {
        "status": "affected",
        "version": "9.20.74",
        "lessThan": "9.20.74.374",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "9.28.116",
        "lessThan": "9.28.116.363",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "9.29.120",
        "lessThan": "9.29.120.181",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "9.30.67",
        "lessThan": "9.30.67.104",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "9.31.86",
        "lessThan": "9.31.86.64",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "9.32.2",
        "lessThanOrEqual": "*",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "WSO2",
    "product": "WSO2 Carbon API Management Implementation",
    "packageName": "org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl",
    "versions": [
      {
        "status": "affected",
        "version": "9.20.74",
        "lessThan": "9.20.74.374",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "9.28.116",
        "lessThan": "9.28.116.363",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "9.29.120",
        "lessThan": "9.29.120.181",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "9.30.67",
        "lessThan": "9.30.67.104",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "9.31.86",
        "lessThan": "9.31.86.64",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "9.32.2",
        "lessThanOrEqual": "*",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

Source	Link
security	www.security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/

11 May 2026 09:43Current

CVSS 3.15.3

EPSS0.00186

CWE-74