9.1

CVE-2025-13590

Authenticated arbitrary file upload via a System REST API requiring administrator permission.

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. 

 By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wso2Api Control Plane Version4.5.0 Update-
Wso2Api Control Plane Version4.6.0 Update-
Wso2Api Manager Version4.2.0 Update-
Wso2Api Manager Version4.3.0 Update-
Wso2Api Manager Version4.4.0 Update-
Wso2Api Manager Version4.5.0 Update-
Wso2Api Manager Version4.6.0 Update-
Wso2Traffic Manager Version4.5.0
Wso2Traffic Manager Version4.6.0
Wso2Universal Gateway Version4.5.0
Wso2Universal Gateway Version4.6.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.68% 0.473
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ed10eef1-636d-4fbe-9993-6890dfa878f8 9.1 2.3 6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/
Vendor Advisory