CVE-2025-6670

all versions

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state

8.8HIGH

CVE-2025-10853

all versions

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper ou

5.2MEDIUM

CVE-2025-11093

>= 6.6.0 and < 6.6.0.224

An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and Nas

8.4HIGH

CVE-2025-10907

all versions

An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and des

8.4HIGH

CVE-2025-10713

all versions

An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The a

6.5MEDIUM

CVE-2025-3125

all versions

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader

6.7MEDIUM

CVE-2025-5605

all versions

An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access t

4.3MEDIUM

CVE-2025-5350

all versions

SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible

5.9MEDIUM

CVE-2025-9955

all versions

An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions

5.7MEDIUM

CVE-2025-9804

all versions

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain in

9.6CRITICAL

CVE-2025-1862

all versions

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in t

6.7MEDIUM

CVE-2024-3511

all versions

An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files store

4.3MEDIUM

CVE-2024-8008

all versions

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error

5.2MEDIUM

CVE-2024-3509

all versions

A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient i

4.3MEDIUM

CVE-2024-0392

all versions

A Cross-Site Request Forgery (CSRF) vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the

5.4MEDIUM

CVE-2023-6911

all versions

Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) att

4.8MEDIUM

CVE-2023-6836

<= 6.6.0

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but

4.6MEDIUM

CVE-2022-39810

all versions

An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identif

6.1MEDIUM

CVE-2022-39809

all versions

An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identif

6.1MEDIUM

CVE-2022-29548

all versions

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0

4.6MEDIUM

CVE-2022-29464

>= 6.2.0 and <= 6.6.0

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload end

9.8CRITICAL

CVE-2020-17453

<= 6.6.0

WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.

6.1MEDIUM

CVE-2020-25516

<= 6.6.0

WSO2 Enterprise Integrator 6.6.0 or earlier contains a stored cross-site scripting (XSS) vulnerability in BPMN explorer tasks.

5.4MEDIUM

CVE-2020-24704

<= 6.6.0

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manage

6.1MEDIUM

CVE-2020-24703

<= 6.6.0

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-cont

8.8HIGH

CVE-2020-24591

all versions

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through

6.5MEDIUM

CVE-2020-12719

<= 6.4.0

XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2

7.2HIGH

CVE-2020-11885

<= 6.6.0

WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validat

7.2HIGH

CVE-2019-20443

all versions

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identi

4.8MEDIUM

CVE-2019-20442

all versions

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identi

4.8MEDIUM

CVE-2019-19587

all versions

In WSO2 Enterprise Integrator 6.5.0, reflected XSS occurs when updating the message processor configuration from the source view i

6.1MEDIUM

CVE-2017-14651

all versions

WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath

4.8MEDIUM