threat
engine
.sh
Back
·
··:··
Home
/
Product
/
wso2 api control plane
Product
wso2 api control plane
16 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-13590
all versions
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment
9.1
CRITICAL
CVE-2025-9312
all versions
A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOA
9.8
CRITICAL
CVE-2025-6670
all versions
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state
8.8
HIGH
CVE-2025-10853
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper ou
5.2
MEDIUM
CVE-2025-5770
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lac
6.1
MEDIUM
CVE-2025-11093
>= 4.5.0 and < 4.5.0.29
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and Nas
8.4
HIGH
CVE-2025-10907
all versions
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and des
8.4
HIGH
CVE-2025-10713
all versions
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The a
6.5
MEDIUM
CVE-2025-3125
all versions
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader
6.7
MEDIUM
CVE-2025-5605
all versions
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access t
4.3
MEDIUM
CVE-2025-5350
all versions
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible
5.9
MEDIUM
CVE-2025-9804
all versions
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain in
9.6
CRITICAL
CVE-2025-9152
all versions
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks i
9.8
CRITICAL
CVE-2025-10611
all versions
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certai
9.8
CRITICAL
CVE-2025-5717
all versions
An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in th
6.8
MEDIUM
CVE-2025-4760
all versions
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of us
4.8
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin