CVE-2025-9804 — CVSS 9.6 (critical): An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal…
CVE-2020-24703 — CVSS 8.8 (high): An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled…
CVE-2025-6670 — CVSS 8.8 (high): A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing…
CVE-2025-10907 — CVSS 8.4 (high): An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination…
CVE-2025-11093 — CVSS 8.4 (high): An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS…
CVE-2020-12719 — CVSS 7.2 (high): XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and…
CVE-2020-11885 — CVSS 7.2 (high): WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to…
CVE-2025-1862 — CVSS 6.7 (medium): An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL…
CVE-2025-3125 — CVSS 6.7 (medium): An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin…
CVE-2020-24591 — CVSS 6.5 (medium): The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0…
CVE-2025-10713 — CVSS 6.5 (medium): An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The…
CVE-2020-24704 — CVSS 6.1 (medium): An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager…
CVE-2022-39809 — CVSS 6.1 (medium): An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in…
CVE-2022-39810 — CVSS 6.1 (medium): An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in…
CVE-2019-19587 — CVSS 6.1 (medium): In WSO2 Enterprise Integrator 6.5.0, reflected XSS occurs when updating the message processor configuration from the source view in the…
CVE-2025-5350 — CVSS 5.9 (medium): SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to…
CVE-2025-9955 — CVSS 5.7 (medium): An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on…
CVE-2024-0392 — CVSS 5.4 (medium): A Cross-Site Request Forgery (CSRF) vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the absence…
CVE-2020-25516 — CVSS 5.4 (medium): WSO2 Enterprise Integrator 6.6.0 or earlier contains a stored cross-site scripting (XSS) vulnerability in BPMN explorer tasks.
CVE-2024-8008 — CVSS 5.2 (medium): A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages…
CVE-2025-10853 — CVSS 5.2 (medium): A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output…
CVE-2023-6911 — CVSS 4.8 (medium): Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can…
CVE-2019-20442 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server…
CVE-2019-20443 — CVSS 4.8 (medium): An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server…
CVE-2017-14651 — CVSS 4.8 (medium): WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath…
CVE-2023-6836 — CVSS 4.6 (medium): Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely…
CVE-2022-29548 — CVSS 4.6 (medium): A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0…
CVE-2024-3511 — CVSS 4.3 (medium): An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the…
CVE-2025-5605 — CVSS 4.3 (medium): An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the…
CVE-2024-3509 — CVSS 4.3 (medium): A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input…