Identity server

This hub aggregates every CVE we track for Identity server, a product in the security products space. Use it to gauge the current risk picture and drill into individual advisories.

Security Productson-premweb app

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

MEDIUM46HIGH13CRITICAL6LOW2

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting Identity server.

CVE-2025-10470Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability8.6May 11, 2026
CVE-2025-9973Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover6.4May 11, 2026
CVE-2025-10908Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access7.3May 11, 2026
CVE-2024-0391Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery5.3May 11, 2026
CVE-2025-10503Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 Identity Server6.1Apr 29, 2026
CVE-2025-12624Improper Token Invalidation in WSO2 Identity Server Allows Access After Account Lock6.0Apr 16, 2026
CVE-2025-6024Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites6.1Apr 16, 2026
CVE-2024-2374XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service7.5Apr 16, 2026
CVE-2024-1524A local user can be impersonated when using federated authentication with Silent JIT Provisioning.7.7Feb 24, 2026
CVE-2025-12107Potential authenticated Server-Side Template Injection (SSTI) vulnerability.8.4Feb 19, 2026
CVE-2025-9312Improper Certificate-Based Authentication Enforcement in Multiple WSO2 Products9.8Nov 18, 2025
CVE-2025-6670Cross-Site Request Forgery (CSRF) in Multiple WSO2 Products via HTTP GET in Admin Services8.8Nov 18, 2025
CVE-2025-10853Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding5.2Nov 5, 2025
CVE-2025-5770Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2 Products6.1Nov 5, 2025
CVE-2025-10907Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution8.4Nov 5, 2025

Product normalization is registry-driven with AI assist and human review. How it works