threat
engine
.sh
Back
·
··:··
Home
/
Product
/
wso2 api manager
Product
wso2 api manager
77 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-6024
all versions
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection
6.1
MEDIUM
CVE-2024-8010
>= 3.2.0 and < 3.2.0.397
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors t
3.5
LOW
CVE-2024-4867
>= 3.2.0 and < 3.2.0.408
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper outp
5.4
MEDIUM
CVE-2024-10242
>= 3.2.0 and < 3.2.0.401
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allow
6.1
MEDIUM
CVE-2024-2374
>= 3.1.0 and < 3.1.0.278
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution
7.5
HIGH
CVE-2024-1524
>= 4.2.0 and < 4.2.0.108
When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a loc
7.7
HIGH
CVE-2025-13590
all versions
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment
9.1
CRITICAL
CVE-2025-9312
all versions
A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOA
9.8
CRITICAL
CVE-2025-6670
all versions
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state
8.8
HIGH
CVE-2025-10853
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper ou
5.2
MEDIUM
CVE-2025-5770
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lac
6.1
MEDIUM
CVE-2025-11093
>= 3.1.0 and < 3.1.0.345
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and Nas
8.4
HIGH
CVE-2025-10907
all versions
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and des
8.4
HIGH
CVE-2025-10713
all versions
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The a
6.5
MEDIUM
CVE-2025-3125
all versions
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader
6.7
MEDIUM
CVE-2025-5605
all versions
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access t
4.3
MEDIUM
CVE-2025-5350
all versions
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible
5.9
MEDIUM
CVE-2025-9804
all versions
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain in
9.6
CRITICAL
CVE-2025-9152
all versions
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks i
9.8
CRITICAL
CVE-2025-10611
all versions
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certai
9.8
CRITICAL
CVE-2024-6429
all versions
A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions
4.3
MEDIUM
CVE-2025-5717
all versions
An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in th
6.8
MEDIUM
CVE-2025-4760
all versions
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of us
4.8
MEDIUM
CVE-2024-4598
>= 3.2.0 and < 3.2.0.422
An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Au
6.5
MEDIUM
CVE-2024-3511
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files store
4.3
MEDIUM
CVE-2024-8008
all versions
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error
5.2
MEDIUM
CVE-2024-3509
all versions
A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient i
4.3
MEDIUM
CVE-2024-1440
all versions
An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authe
5.4
MEDIUM
CVE-2024-7097
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows us
4.3
MEDIUM
CVE-2024-7096
all versions
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malic
4.2
MEDIUM
CVE-2024-5962
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multiple WSO2 products due to missin
6.1
MEDIUM
CVE-2024-6914
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-rel
9.8
CRITICAL
CVE-2025-2905
<= 2.0.0
Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XM
9.1
CRITICAL
CVE-2024-5848
all versions
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-suppl
6.1
MEDIUM
CVE-2024-2321
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a
5.6
MEDIUM
CVE-2023-6911
all versions
Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) att
4.8
MEDIUM
CVE-2023-6839
all versions
Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package
5.3
MEDIUM
CVE-2023-6838
all versions
Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in
6.1
MEDIUM
CVE-2023-6837
>= 2.5.0 and < 2.5.0.32
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this
8.5
HIGH
CVE-2023-6836
<= 3.0.0
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but
4.6
MEDIUM
CVE-2023-6835
all versions
Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API r
4.3
MEDIUM
CVE-2023-31664
< 4.2.0
A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows a
6.1
MEDIUM
CVE-2021-42646
all versions
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API
9.1
CRITICAL
CVE-2022-29548
all versions
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0
4.6
MEDIUM
CVE-2022-29464
>= 2.2.0 and <= 4.0.0
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload end
9.8
CRITICAL
CVE-2021-43700
all versions
An issue was discovered in ApiManager 1.1. there is sql injection vulnerability that can use in /index.php?act=api&tag=8.
9.8
CRITICAL
CVE-2021-36760
all versions
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affe
6.1
MEDIUM
CVE-2020-17453
<= 3.2.0
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
6.1
MEDIUM
CVE-2020-27885
all versions
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacke
6.1
MEDIUM
CVE-2020-17454
<= 3.1.0
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possibl
6.1
MEDIUM
CVE-2020-24706
<= 3.1.0
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, AP
6.1
MEDIUM
CVE-2020-24705
<= 3.1.0
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-cont
8.8
HIGH
CVE-2020-24704
all versions
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manage
6.1
MEDIUM
CVE-2020-24703
all versions
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-cont
8.8
HIGH
CVE-2020-24591
<= 3.0.0
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through
6.5
MEDIUM
CVE-2020-24590
<= 3.1.0
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks.
9.1
CRITICAL
CVE-2020-24589
<= 3.1.0
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) att
9.1
CRITICAL
CVE-2020-13883
<= 3.0.0
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Conso
6.7
MEDIUM
CVE-2020-13226
all versions
WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSR
9.8
CRITICAL
CVE-2020-12719
<= 3.0.0
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2
7.2
HIGH
CVE-2019-20439
all versions
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identif
4.8
MEDIUM
CVE-2019-20438
all versions
An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vulnerability has been identified
4.8
MEDIUM
CVE-2019-20437
all versions
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom cla
6.1
MEDIUM
CVE-2019-20436
all versions
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a cla
6.1
MEDIUM
CVE-2019-20435
all versions
An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the inline API documentation edito
4.8
MEDIUM
CVE-2019-20434
all versions
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identif
4.8
MEDIUM
CVE-2019-20443
all versions
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identi
4.8
MEDIUM
CVE-2019-20442
all versions
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identi
4.8
MEDIUM
CVE-2019-20441
all versions
An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vulnerability has been identified
4.8
MEDIUM
CVE-2019-20440
all versions
An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identif
4.8
MEDIUM
CVE-2019-15108
<= 2.6.0
An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the
4.8
MEDIUM
CVE-2019-6513
all versions
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type o
5.4
MEDIUM
CVE-2019-6515
all versions
An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated us
5.3
MEDIUM
CVE-2019-6512
all versions
An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal wor
4.1
MEDIUM
CVE-2018-20737
all versions
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
5.4
MEDIUM
CVE-2018-20736
all versions
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. A DOM-based XSS exists in the store part of the product.
5.4
MEDIUM
CVE-2017-14651
all versions
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath
4.8
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin