wso2
Latest CVEs
The 15 most recently published vulnerabilities affecting wso2.
- CVE-2025-10470Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability8.6
- CVE-2025-9973Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover6.4
- CVE-2025-8325Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations6.3
- CVE-2025-8154HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation5.3
- CVE-2025-10908Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access7.3
- CVE-2024-0391Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery5.3
- CVE-2025-10503Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 Identity Server6.1
- CVE-2025-12624Improper Token Invalidation in WSO2 Identity Server Allows Access After Account Lock6.0
- CVE-2025-6024Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites6.1
- CVE-2024-10242Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 API Manager Allows UI Modification and Redirection6.1
- CVE-2024-8010XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files3.5
- CVE-2024-4867Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval5.4
- CVE-2024-2374XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service7.5
- CVE-2024-1524A local user can be impersonated when using federated authentication with Silent JIT Provisioning.7.7
- CVE-2025-13590Authenticated arbitrary file upload via a System REST API requiring administrator permission.9.1