This page lists publicly disclosed CVE vulnerabilities affecting wso2 enterprise_integrator (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-6670 | A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an aut | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 8.8 | 0.02% | 2025-11-18 | 2025-12-08 |
| CVE-2025-10853 | A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.2 | 0.02% | 2025-11-05 | 2025-11-13 |
| CVE-2025-11093 | An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This m | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 8.4 | 0.09% | 2025-11-05 | 2026-01-09 |
| CVE-2025-10907 | An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment. Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with admin | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 8.4 | 0.52% | 2025-11-05 | 2025-12-04 |
| CVE-2025-10713 | An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.5 | 0.08% | 2025-11-05 | 2025-12-04 |
| CVE-2025-3125 | An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.7 | 0.27% | 2025-11-05 | 2025-12-04 |
| CVE-2025-5605 | An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 4.3 | 6.21% | 2025-10-24 | 2025-11-21 |
| CVE-2025-5350 | SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context. By tricking an administrator into accessing a crafted link, | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.9 | 0.65% | 2025-10-24 | 2025-11-21 |
| CVE-2025-9955 | An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level. While no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational d | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.7 | 0.02% | 2025-10-16 | 2025-10-21 |
| CVE-2025-9804 | An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 9.6 | 0.05% | 2025-10-16 | 2025-11-21 |
| CVE-2025-1862 | An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service endpoint. A malicious actor with administrative privileges can upload arbitrary files to a user-controlled location on the server. By leveraging this vulnerability, an attacker can upload a specially crafted payload and achieve remote code execution (RCE), potentially compromising the server and its data. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.7 | 0.47% | 2025-09-26 | 2025-10-06 |
| CVE-2024-3511 | An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, pote | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 4.3 | 0.14% | 2025-06-23 | 2025-10-06 |
| CVE-2024-8008 | A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.2 | 0.10% | 2025-06-02 | 2025-10-06 |
| CVE-2024-3509 | A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the actor could inject persistent JavaScript payloads, enabling the theft of user data or execution of unauthorized actions on behalf of other users. W | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 4.3 | 0.10% | 2025-06-02 | 2025-10-06 |
| CVE-2024-0392 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the absence of CSRF token validation. This flaw allows attackers to craft malicious requests that can trigger state-changing operations on behalf of an authenticated user, potentially compromising account settings and data integrity. The vulnerability only affects a limited set of state-changing operations, and successful exploitation requires social engineering to trick | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.4 | 0.27% | 2025-02-27 | 2025-10-06 |
| CVE-2023-6911 | Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 4.8 | 0.35% | 2023-12-18 | 2024-11-21 |
| CVE-2023-6836 | Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information. | ed10eef1-636d-4fbe-9993-6890dfa878f8 | 4.6 | 0.17% | 2023-12-15 | 2024-11-21 |
| CVE-2022-39810 | An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible. | [email protected] | 6.1 | 0.34% | 2022-09-09 | 2024-11-21 |
| CVE-2022-39809 | An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible. | [email protected] | 6.1 | 0.23% | 2022-09-09 | 2024-11-21 |
| CVE-2022-29548 | A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro | [email protected] | 4.6 | 76.36% | 2022-04-21 | 2024-11-21 |