threat
engine
.sh
Back
·
··:··
Home
/
Product
/
wso2 identity server
Product
wso2 identity server
66 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-10503
>= 7.1.0 and < 7.1.0.28
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of pr
6.1
MEDIUM
CVE-2025-12624
all versions
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enf
6.0
MEDIUM
CVE-2025-6024
all versions
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection
6.1
MEDIUM
CVE-2024-2374
>= 5.10.0 and < 5.10.0.300
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution
7.5
HIGH
CVE-2024-1524
>= 6.0.0 and < 6.0.0.171
When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a loc
7.7
HIGH
CVE-2025-12107
all versions
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute
8.4
HIGH
CVE-2025-9312
all versions
A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOA
9.8
CRITICAL
CVE-2025-6670
all versions
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state
8.8
HIGH
CVE-2025-10853
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper ou
5.2
MEDIUM
CVE-2025-5770
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lac
6.1
MEDIUM
CVE-2025-10907
all versions
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and des
8.4
HIGH
CVE-2025-10713
all versions
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The a
6.5
MEDIUM
CVE-2025-3125
all versions
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader
6.7
MEDIUM
CVE-2025-5605
all versions
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access t
4.3
MEDIUM
CVE-2025-5350
all versions
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible
5.9
MEDIUM
CVE-2025-9804
all versions
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain in
9.6
CRITICAL
CVE-2025-10611
all versions
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certai
9.8
CRITICAL
CVE-2025-1862
all versions
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in t
6.7
MEDIUM
CVE-2025-1396
all versions
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration
3.7
LOW
CVE-2025-0672
all versions
An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account i
3.3
LOW
CVE-2025-0209
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improp
6.1
MEDIUM
CVE-2025-0663
all versions
A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Auth
6.8
MEDIUM
CVE-2024-6429
all versions
A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions
4.3
MEDIUM
CVE-2024-3511
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files store
4.3
MEDIUM
CVE-2024-8008
all versions
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error
5.2
MEDIUM
CVE-2024-7073
all versions
A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin
6.5
MEDIUM
CVE-2024-3509
all versions
A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient i
4.3
MEDIUM
CVE-2024-1440
all versions
An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authe
5.4
MEDIUM
CVE-2024-7097
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows us
4.3
MEDIUM
CVE-2024-7096
all versions
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malic
4.2
MEDIUM
CVE-2024-5962
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multiple WSO2 products due to missin
6.1
MEDIUM
CVE-2024-7487
all versions
An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native
5.8
MEDIUM
CVE-2024-7103
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WSO2 Identity Server 7.0.0 due t
4.6
MEDIUM
CVE-2024-6914
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-rel
9.8
CRITICAL
CVE-2024-2321
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a
5.6
MEDIUM
CVE-2023-6911
all versions
Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) att
4.8
MEDIUM
CVE-2023-6838
all versions
Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in
6.1
MEDIUM
CVE-2023-6837
>= 5.6.0 and < 5.6.0.16
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this
8.5
HIGH
CVE-2023-6836
all versions
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but
4.6
MEDIUM
CVE-2021-42646
all versions
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API
9.1
CRITICAL
CVE-2022-29548
all versions
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0
4.6
MEDIUM
CVE-2022-29464
>= 5.2.0 and <= 5.11.0
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload end
9.8
CRITICAL
CVE-2021-36760
all versions
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affe
6.1
MEDIUM
CVE-2020-17453
<= 5.10.0
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
6.1
MEDIUM
CVE-2020-24706
<= 5.10.0
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, AP
6.1
MEDIUM
CVE-2020-24705
<= 5.10.0
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-cont
8.8
HIGH
CVE-2020-24704
all versions
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manage
6.1
MEDIUM
CVE-2020-24703
all versions
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-cont
8.8
HIGH
CVE-2020-14446
<= 5.10.0
An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists.
6.1
MEDIUM
CVE-2020-14445
<= 5.9.0
An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cros
5.4
MEDIUM
CVE-2020-14444
<= 5.9.0
An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cros
5.4
MEDIUM
CVE-2020-12719
<= 5.9.0
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2
7.2
HIGH
CVE-2019-20437
all versions
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom cla
6.1
MEDIUM
CVE-2019-20436
all versions
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a cla
6.1
MEDIUM
CVE-2019-20443
all versions
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identi
4.8
MEDIUM
CVE-2019-20442
all versions
An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identi
4.8
MEDIUM
CVE-2019-18882
all versions
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
6.1
MEDIUM
CVE-2019-18881
all versions
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
6.1
MEDIUM
CVE-2019-12250
<= 2.4.0
IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs Lo
6.1
MEDIUM
CVE-2018-20737
all versions
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
5.4
MEDIUM
CVE-2018-8716
< 5.5.0
WSO2 Identity Server before 5.5.0 has XSS via the dashboard, allowing attacks by low-privileged attackers.
5.4
MEDIUM
CVE-2018-8899
>= 1.0.0 and <= 1.5.2
IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization respons
6.1
MEDIUM
CVE-2017-14651
all versions
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath
4.8
MEDIUM
CVE-2017-12677
all versions
IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Angular expression on the authorize response page, which might
6.1
MEDIUM
CVE-2016-4312
all versions
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-023
7.5
HIGH
CVE-2016-4311
all versions
Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to
8.8
HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin