CVE-2024-6914 — CVSS 9.8 (critical): An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP…
CVE-2025-10611 — CVSS 9.8 (critical): Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST…
CVE-2025-9312 — CVSS 9.8 (critical): A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP…
CVE-2025-9804 — CVSS 9.6 (critical): An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal…
CVE-2025-6670 — CVSS 8.8 (high): A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing…
CVE-2025-10907 — CVSS 8.4 (high): An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination…
CVE-2024-2374 — CVSS 7.5 (high): The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of…
CVE-2025-0663 — CVSS 6.8 (medium): A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive…
CVE-2025-3125 — CVSS 6.7 (medium): An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin…
CVE-2025-1862 — CVSS 6.7 (medium): An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL…
CVE-2024-7073 — CVSS 6.5 (medium): A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin…
CVE-2025-10713 — CVSS 6.5 (medium): An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The…
CVE-2025-5350 — CVSS 5.9 (medium): SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to…
CVE-2024-0391 — CVSS 5.3 (medium): The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the…
CVE-2025-10853 — CVSS 5.2 (medium): A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output…
CVE-2024-8008 — CVSS 5.2 (medium): A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages…
CVE-2025-5605 — CVSS 4.3 (medium): An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the…
CVE-2024-7097 — CVSS 4.3 (medium): An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user…
CVE-2024-3511 — CVSS 4.3 (medium): An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the…
CVE-2024-7096 — CVSS 4.2 (medium): A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious…
CVE-2025-1396 — CVSS 3.7 (low): A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the…
CVE-2025-0672 — CVSS 3.3 (low): An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is…