WSO2 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting、vendor risk xxe、vendor risk ssrf, and vendor risk csrf があり、vendor surface software deployment の利用場面で vendor impact session compromise、ファイル上書き, and vendor impact unexpected behavior などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-9973 | Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization can leverage this functionality to execute authentication logic on other organizations and sub-organizations. This flaw allows bypassing authorization boundaries between organizations, leading to unauthor | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.4 | 0.07% | 2026-05-11 | 2026-05-27 |
| CVE-2025-10470 | The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 8.6 | 0.06% | 2026-05-11 | 2026-05-27 |
| CVE-2025-8325 | The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x versions. A malicious actor with a valid user account on a vulnerable deployment can perform sensitive operations against the Gateway REST API regardless of their actual roles or privileges. This could | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.3 | 0.03% | 2026-05-11 | 2026-05-27 |
| CVE-2025-8154 | In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie va | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.3 | 0.05% | 2026-05-11 | 2026-05-27 |
| CVE-2025-10908 | Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 7.3 | 0.06% | 2026-05-11 | 2026-05-27 |
| CVE-2024-0391 | The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.3 | 0.02% | 2026-05-11 | 2026-05-27 |
| CVE-2025-10503 | The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protectio | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.1 | 0.03% | 2026-04-29 | 2026-05-01 |
| CVE-2025-12624 | Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.0 | 0.03% | 2026-04-16 | 2026-04-23 |
| CVE-2025-6024 | The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related co | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.1 | 0.03% | 2026-04-16 | 2026-04-23 |
| CVE-2024-8010 | The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 3.5 | 0.01% | 2026-04-16 | 2026-04-23 |
| CVE-2024-4867 | The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hij | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.4 | 0.03% | 2026-04-16 | 2026-04-23 |
| CVE-2024-10242 | The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.1 | 0.03% | 2026-04-16 | 2026-04-23 |
| CVE-2024-2374 | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploite | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 7.5 | 0.01% | 2026-04-16 | 2026-04-23 |
| CVE-2024-1524 | When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 7.7 | 0.06% | 2026-02-24 | 2026-03-03 |
| CVE-2025-13590 | A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 9.1 | 0.10% | 2026-02-19 | 2026-02-20 |
| CVE-2025-12107 | Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 8.4 | 0.56% | 2026-02-19 | 2026-03-06 |
| CVE-2025-9312 | A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP serv | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 9.8 | 0.04% | 2025-11-18 | 2025-12-08 |
| CVE-2025-6670 | A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an aut | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 8.8 | 0.02% | 2025-11-18 | 2025-12-08 |
| CVE-2025-10853 | A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.2 | 0.02% | 2025-11-05 | 2025-11-13 |
| CVE-2025-5770 | A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.1 | 0.02% | 2025-11-05 | 2025-11-13 |