EUVD-2025-209758

🗓️ 11 May 2026 12:32:31Reported by EUVDType

Webhook API accepts unvalidated input for headers, enabling arbitrary response header injection and possible session hijacking.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2025-8154	11 May 202609:30	–	attackerkb
Circl	CVE-2025-8154	11 May 202611:33	–	circl
CNNVD	WSO2多款产品注入漏洞	11 May 202600:00	–	cnnvd
CVE	CVE-2025-8154	11 May 202609:30	–	cve
Cvelist	CVE-2025-8154 HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation	11 May 202609:30	–	cvelist
NVD	CVE-2025-8154	11 May 202610:16	–	nvd
Positive Technologies	PT-2026-39583	11 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2025-8154	5 Jun 202619:40	–	redhatcve
Vulnrichment	CVE-2025-8154 HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation	11 May 202609:30	–	vulnrichment

[
  {
    "enisaIdVendor": [
      {
        "id": "c6552924-7815-38a6-be45-1ead69e6364b",
        "vendor": {
          "name": "WSO2"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "02450497-215f-3593-a24f-b441f0e774b7",
        "product": {
          "name": "WSO2 Carbon API Gateway"
        },
        "product_version": "9.20.74 <9.20.74.374"
      },
      {
        "id": "08b9288f-f901-379c-9fd0-c7f671784815",
        "product": {
          "name": "WSO2 API Manager"
        },
        "product_version": ""
      },
      {
        "id": "0c4fb929-ad2e-3e80-b6f1-829a8b37a1a5",
        "product": {
          "name": "WSO2 Carbon API Gateway"
        },
        "product_version": "9.30.67 <9.30.67.104"
      },
      {
        "id": "0d17a0b3-8ef8-3939-925c-1ea080f71fb9",
        "product": {
          "name": "WSO2 Carbon API Gateway"
        },
        "product_version": "9.29.120 <9.29.120.181"
      },
      {
        "id": "1744f958-d79e-30d2-9fb7-2ec2d3f3030c",
        "product": {
          "name": "WSO2 API Manager"
        },
        "product_version": "4.2.0 <4.2.0.164"
      },
      {
        "id": "288ea96c-c34d-3c0c-a68c-373252c3d468",
        "product": {
          "name": "WSO2 API Control Plane"
        },
        "product_version": "4.5.0 <4.5.0.21"
      },
      {
        "id": "32fe57c0-c387-32f6-8509-83019440cb91",
        "product": {
          "name": "WSO2 Carbon API Gateway"
        },
        "product_version": "9.28.116 <9.28.116.363"
      },
      {
        "id": "3947a99b-7fa3-32bc-aacc-2b1cb767249a",
        "product": {
          "name": "WSO2 Universal Gateway"
        },
        "product_version": "4.5.0 <4.5.0.19"
      },
      {
        "id": "3c52ffeb-02b9-3b08-a48d-6960459060c1",
        "product": {
          "name": "WSO2 Carbon API Management Implementation"
        },
        "product_version": ""
      },
      {
        "id": "3f743d63-4b33-3ee5-9eee-da0a2af0555e",
        "product": {
          "name": "WSO2 API Manager"
        },
        "product_version": "4.5.0 <4.5.0.20"
      },
      {
        "id": "540cc7f1-adc5-3721-ad26-bf2fc097903c",
        "product": {
          "name": "WSO2 Carbon API Management Implementation"
        },
        "product_version": "9.28.116 <9.28.116.363"
      },
      {
        "id": "5a4471db-ab54-3b07-9878-1a4d0ebccea5",
        "product": {
          "name": "WSO2 Carbon API Management Implementation"
        },
        "product_version": "9.29.120 <9.29.120.181"
      },
      {
        "id": "6ca5b8e0-38de-3d10-a8b8-72cea4784f8b",
        "product": {
          "name": "WSO2 Carbon API Gateway"
        },
        "product_version": ""
      },
      {
        "id": "77e1201a-733f-3efe-a7b5-5ce27e64e55a",
        "product": {
          "name": "WSO2 Carbon API Management Implementation"
        },
        "product_version": "9.30.67 <9.30.67.104"
      },
      {
        "id": "90012622-4d38-3f08-bdf2-eddb47fd6cb8",
        "product": {
          "name": "WSO2 Carbon API Management Implementation"
        },
        "product_version": "9.20.74 <9.20.74.374"
      },
      {
        "id": "9a6191ec-d3b7-397a-96ca-5c8bf2f390c9",
        "product": {
          "name": "WSO2 API Manager"
        },
        "product_version": "4.1.0 <4.1.0.218"
      },
      {
        "id": "9f31331b-08da-35b0-9cd0-d605b8eee37a",
        "product": {
          "name": "WSO2 Carbon API Gateway"
        },
        "product_version": "9.31.86 <9.31.86.64"
      },
      {
        "id": "b68d5849-393c-38e4-8d8c-14ef5084339f",
        "product": {
          "name": "WSO2 Carbon API Management Implementation"
        },
        "product_version": "9.31.86 <9.31.86.64"
      },
      {
        "id": "c5a224b8-556e-380a-8cc5-bb05a6ded0bd",
        "product": {
          "name": "WSO2 API Manager"
        },
        "product_version": "4.3.0 <4.3.0.74"
      },
      {
        "id": "d9fc41f0-4cd0-3a16-9120-bdd35d711bcf",
        "product": {
          "name": "WSO2 Traffic Manager"
        },
        "product_version": "4.5.0 <4.5.0.19"
      },
      {
        "id": "dd25d016-9749-3e80-af51-0e3267f8a35c",
        "product": {
          "name": "WSO2 API Manager"
        },
        "product_version": "4.4.0 <4.4.0.38"
      }
    ]
  }
]

Source	Link
security	www.security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-8154

11 May 2026 12:32Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.3

EPSS0.00186

SSVC