Skip to main content

Wso2 Universal Gateway

4 CVEs product

Monthly

CVE-2026-4249 HIGH PATCH This Week

Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffic Manager, and WSO2 API Control Plane - allows an unauthenticated remote attacker to send malicious JSON payloads to the throttling event handling mechanism, crashing or corrupting API Gateway state so that legitimate API traffic can no longer be processed. Because the outage is persistent and requires manual intervention to restore service, and the CVSS scope is changed (S:C), a single request can take down the entire API Gateway tier. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Denial Of Service Wso2 Universal Gateway Wso2 Traffic Manager Wso2 Api Control Plane Wso2 Api Manager
NVD VulDB
CVSS 3.1
8.6
EPSS
0.3%
CVE-2025-8591 MEDIUM PATCH This Month

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.

XSS Wso2 Identity Server Wso2 Api Manager Wso2 Api Control Plane Wso2 Traffic Manager +4
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-8325 MEDIUM PATCH This Month

Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to invoke Gateway and Internal Service APIs without proper permission enforcement, enabling unauthorized operations on sensitive REST API endpoints. The vulnerability affects multiple WSO2 products including API Control Plane, Universal Gateway, and Traffic Manager. CVSS 6.3 (network-accessible, low complexity, requires valid user credentials) indicates moderate severity with clear lateral privilege escalation potential in multi-tenant environments.

Information Disclosure Wso2 Api Control Plane Wso2 Universal Gateway Wso2 Traffic Manager Wso2 Api Manager +2
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-8154 MEDIUM PATCH This Month

HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or overwrite arbitrary HTTP response headers via unsanitized user-supplied input. Successful exploitation enables cache manipulation, security header alteration, cookie injection, and potential session hijacking. CVSS 5.3 (network-accessible, low complexity, no authentication required); no public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Wso2 Api Manager Wso2 Universal Gateway Wso2 Traffic Manager Wso2 Api Control Plane +2
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffic Manager, and WSO2 API Control Plane - allows an unauthenticated remote attacker to send malicious JSON payloads to the throttling event handling mechanism, crashing or corrupting API Gateway state so that legitimate API traffic can no longer be processed. Because the outage is persistent and requires manual intervention to restore service, and the CVSS scope is changed (S:C), a single request can take down the entire API Gateway tier. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Denial Of Service Wso2 Universal Gateway Wso2 Traffic Manager +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.

XSS Wso2 Identity Server Wso2 Api Manager +6
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to invoke Gateway and Internal Service APIs without proper permission enforcement, enabling unauthorized operations on sensitive REST API endpoints. The vulnerability affects multiple WSO2 products including API Control Plane, Universal Gateway, and Traffic Manager. CVSS 6.3 (network-accessible, low complexity, requires valid user credentials) indicates moderate severity with clear lateral privilege escalation potential in multi-tenant environments.

Information Disclosure Wso2 Api Control Plane Wso2 Universal Gateway +4
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or overwrite arbitrary HTTP response headers via unsanitized user-supplied input. Successful exploitation enables cache manipulation, security header alteration, cookie injection, and potential session hijacking. CVSS 5.3 (network-accessible, low complexity, no authentication required); no public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Wso2 Api Manager Wso2 Universal Gateway +4
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy