Wso2 Api Control Plane — known CVE vulnerabilities
Every CVE whose affected-product data names Wso2 Api Control Plane, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (18)
CVE-2025-9152 — CVSS 9.8 (critical): An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the…
CVE-2025-10611 — CVSS 9.8 (critical): Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST…
CVE-2025-9312 — CVSS 9.8 (critical): A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP…
CVE-2025-9804 — CVSS 9.6 (critical): An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal…
CVE-2025-13590 — CVSS 9.1 (critical): A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a…
CVE-2025-6670 — CVSS 8.8 (high): A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing…
CVE-2025-11093 — CVSS 8.4 (high): An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS…
CVE-2025-10907 — CVSS 8.4 (high): An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination…
CVE-2025-5717 — CVSS 6.8 (medium): An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event…
CVE-2025-3125 — CVSS 6.7 (medium): An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin…
CVE-2025-10713 — CVSS 6.5 (medium): An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The…
CVE-2025-8325 — CVSS 6.3 (medium): The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can…
CVE-2025-5770 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of…
CVE-2025-5350 — CVSS 5.9 (medium): SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to…
CVE-2025-8154 — CVSS 5.3 (medium): In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or…
CVE-2025-10853 — CVSS 5.2 (medium): A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output…
CVE-2025-4760 — CVSS 4.8 (medium): An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of…
CVE-2025-5605 — CVSS 4.3 (medium): An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the…