CVE-2024-2374

>= 2.0.0 and < 2.0.0.348

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution

7.5HIGH

CVE-2025-9312

all versions

A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOA

9.8CRITICAL

CVE-2025-6670

all versions

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state

8.8HIGH

CVE-2025-10853

all versions

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper ou

5.2MEDIUM

CVE-2025-10907

all versions

An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and des

8.4HIGH

CVE-2025-10713

all versions

An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The a

6.5MEDIUM

CVE-2025-3125

all versions

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader

6.7MEDIUM

CVE-2025-5605

all versions

An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access t

4.3MEDIUM

CVE-2025-5350

all versions

SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible

5.9MEDIUM

CVE-2025-9804

all versions

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain in

9.6CRITICAL

CVE-2025-10611

all versions

Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certai

9.8CRITICAL

CVE-2025-1862

all versions

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in t

6.7MEDIUM

CVE-2025-1396

all versions

A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration

3.7LOW

CVE-2025-0672

all versions

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account i

3.3LOW

CVE-2025-0663

all versions

A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Auth

6.8MEDIUM

CVE-2024-3511

all versions

An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files store

4.3MEDIUM

CVE-2024-8008

all versions

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error

5.2MEDIUM

CVE-2024-7073

all versions

A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin

6.5MEDIUM

CVE-2024-7097

all versions

An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows us

4.3MEDIUM

CVE-2024-7096

all versions

A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malic

4.2MEDIUM

CVE-2024-6914

all versions

An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-rel

9.8CRITICAL

CVE-2022-29464

all versions

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload end

9.8CRITICAL