Every CVE whose affected-product data names Wso2 Api Manager, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (79)
CVE-2025-10611 — CVSS 9.8 (critical): Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST…
CVE-2020-13226 — CVSS 9.8 (critical): WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this…
CVE-2025-9152 — CVSS 9.8 (critical): An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the…
CVE-2024-6914 — CVSS 9.8 (critical): An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP…
CVE-2025-9312 — CVSS 9.8 (critical): A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP…
CVE-2025-9804 — CVSS 9.6 (critical): An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal…
CVE-2021-42646 — CVSS 9.1 (critical): XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager…
CVE-2020-24590 — CVSS 9.1 (critical): The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks.
CVE-2025-13590 — CVSS 9.1 (critical): A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a…
CVE-2020-24589 — CVSS 9.1 (critical): The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.
CVE-2025-2905 — CVSS 9.1 (critical): Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML…
CVE-2025-6670 — CVSS 8.8 (high): A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing…
CVE-2020-24703 — CVSS 8.8 (high): An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled…
CVE-2020-24705 — CVSS 8.8 (high): An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled…
CVE-2023-6837 — CVSS 8.5 (high): Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this…
CVE-2025-10907 — CVSS 8.4 (high): An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination…
CVE-2025-11093 — CVSS 8.4 (high): An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS…
CVE-2026-2053 — CVSS 8.3 (high): The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict…
CVE-2024-1524 — CVSS 7.7 (high): When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user…
CVE-2024-2374 — CVSS 7.5 (high): The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of…
CVE-2020-12719 — CVSS 7.2 (high): XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and…
CVE-2025-5717 — CVSS 6.8 (medium): An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event…
CVE-2020-13883 — CVSS 6.7 (medium): In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows…
CVE-2025-3125 — CVSS 6.7 (medium): An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin…
CVE-2020-24591 — CVSS 6.5 (medium): The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0…
CVE-2025-10713 — CVSS 6.5 (medium): An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The…
CVE-2024-4598 — CVSS 6.5 (medium): An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator…
CVE-2025-8325 — CVSS 6.3 (medium): The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can…
CVE-2021-36760 — CVSS 6.1 (medium): In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the…
CVE-2019-20436 — CVSS 6.1 (medium): An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim…
CVE-2019-20437 — CVSS 6.1 (medium): An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim…
CVE-2020-17454 — CVSS 6.1 (medium): WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to…
CVE-2020-24704 — CVSS 6.1 (medium): An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager…
CVE-2020-24706 — CVSS 6.1 (medium): An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager…
CVE-2020-27885 — CVSS 6.1 (medium): Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can…
CVE-2023-31664 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers…
CVE-2023-6838 — CVSS 6.1 (medium): Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both…
CVE-2024-10242 — CVSS 6.1 (medium): The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an…
CVE-2024-5848 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data…
CVE-2024-5962 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multiple WSO2 products due to missing output…
CVE-2025-5770 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of…
CVE-2025-6024 — CVSS 6.1 (medium): The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An…
CVE-2025-5350 — CVSS 5.9 (medium): SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to…
CVE-2024-2321 — CVSS 5.6 (medium): An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh…
CVE-2018-20737 — CVSS 5.4 (medium): An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
CVE-2024-1440 — CVSS 5.4 (medium): An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication…
CVE-2024-4867 — CVSS 5.4 (medium): The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output…
CVE-2019-6513 — CVSS 5.4 (medium): An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by…
CVE-2018-20736 — CVSS 5.4 (medium): An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. A DOM-based XSS exists in the store part of the product.
CVE-2019-6515 — CVSS 5.3 (medium): An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user.
CVE-2025-8154 — CVSS 5.3 (medium): In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or…
CVE-2023-6839 — CVSS 5.3 (medium): Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in…
CVE-2025-10853 — CVSS 5.2 (medium): A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output…
CVE-2024-8008 — CVSS 5.2 (medium): A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages…
CVE-2019-20439 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in…
CVE-2019-20443 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server…
CVE-2019-20442 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server…
CVE-2019-20441 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting (XSS) vulnerability has been identified in the…
CVE-2019-20435 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0. A reflected XSS attack could be performed in the inline API documentation editor page of…
CVE-2019-20440 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in…
CVE-2019-15108 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the…
CVE-2019-20434 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in…
CVE-2023-6911 — CVSS 4.8 (medium): Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can…
CVE-2017-14651 — CVSS 4.8 (medium): WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath…
CVE-2019-20438 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0. A potential stored Cross-Site Scripting (XSS) vulnerability has been identified in the…
CVE-2025-4760 — CVSS 4.8 (medium): An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of…
CVE-2023-6836 — CVSS 4.6 (medium): Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely…
CVE-2022-29548 — CVSS 4.6 (medium): A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0…
CVE-2025-5605 — CVSS 4.3 (medium): An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the…
CVE-2024-3511 — CVSS 4.3 (medium): An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the…
CVE-2024-3509 — CVSS 4.3 (medium): A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input…
CVE-2023-6835 — CVSS 4.3 (medium): Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating…
CVE-2024-7097 — CVSS 4.3 (medium): An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user…
CVE-2024-6429 — CVSS 4.3 (medium): A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error…
CVE-2024-7096 — CVSS 4.2 (medium): A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious…
CVE-2019-6512 — CVSS 4.1 (medium): An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation…
CVE-2024-8010 — CVSS 3.5 (low): The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit…