WSO2 User Registration - Arbitrary Account Creation

The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings. id: CVE-2024-7097 info: name: WSO2 User Registration - Arbitrary Account Creation author: iamnoooob,rootxharsh,pdresearch...

WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting

WSO2 Management Console through 5.10 is susceptible to reflected cross-site scripting which can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests. id: CVE-2020-17453 info: name: WSO2 Carbon Management...

WSO2 - Server Side Request Forgery

WSO2 products contain SSRF and reflected XSS vulnerabilities in the deprecated Try-It feature accessible only to administrative users, caused by improper URL validation and direct content reflection, letting attackers trick admins into executing arbitrary JavaScript and querying internal services...

WSO2 Data Analytics Server 3.1.0 - Cross-Site Scripting

WSO2 Data Analytics Server 3.1.0 is susceptible to cross-site scripting in carbon/resources/addcollectionajaxprocessor.jsp via the collectionName or parentPath parameter. id: CVE-2017-14651 info: name: WSO2 Data Analytics Server 3.1.0 - Cross-Site Scripting author: mass0ma severity: medium...

WSO2 - Cross-Site Scripting

WSO2 contains a reflected cross-site scripting vulnerability in the Management Console of API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0,...

WSO2 API Manager <=3.1.0 - Blind XML External Entity Injection

WSO2 API Manager 3.1.0 and earlier is vulnerable to blind XML external entity injection XXE. XXE often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access which allows the attacker to transmit...

WSO2 Management - Arbitrary File Upload & Remote Code Execution

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key...

CVE-2025-12624

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...

CVE-2024-2374

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. ...

CVE-2025-10470 Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability

The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that...

CVE-2025-8325

The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x...

CVE-2025-9973 Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover

Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization ca...

CVE-2025-9973 Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover

Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization ca...

CVE-2025-9973

CVE-2025-9973 affects WS O2 Identity Server: failure to validate the organization context during adaptive authentication allows triggering authentication logic in other organizations/sub-organizations. This enables cross-organization authorization bypass, potentially leading to privilege escalati...

CVE-2025-8154

CVE-2025-8154 describes an HTTP header injection vulnerability in the Webhook API invocations causing headers to be injected/overwritten in responses. Affected products include multiple WSO2 offerings (e.g., API Manager, Universal Gateway, Traffic Manager, API Control Plane, Carbon API Gateway/Ma...

CVE-2024-0391 Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage...

CVE-2024-0391 Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage...

WSO2 Identity Server 安全漏洞

WSO2 Identity Server is an identity authentication server developed by the American company WSO2. WSO2 Identity Server has a security vulnerability that stems from the lack of verification of user account status. This vulnerability may allow locked accounts to be successfully authenticated throug...

PT-2026-39584

Name of the Vulnerable Software and Affected Versions WSO2 APIM versions 3.x Description The software fails to enforce role-based access controls for certain Gateway API and Internal Service API invocations. Users assigned the 'Internal/Everyone' role can invoke these APIs, bypassing intended...

WSO2 Identity Server 访问控制错误漏洞

WSO2 Identity Server is an identity authentication server developed by the American company WSO2. WSO2 Identity Server has a control access vulnerability that arises from the lack of verification of organizational context during the execution of adaptive authentication processes. This vulnerabili...