Wso2 Identity_server
8 CVEs affecting Wso2 Identity_server. Latest disclosed: 2026-05-11. Critical: 0, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2016-4311 | High | 8.8 | 2017-02-17 | Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of… |
CVE-2025-10470 | High | 8.6 | 2026-05-11 | The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled… |
CVE-2016-4312 | High | 7.5 | 2017-02-17 | XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated… |
CVE-2025-10908 | High | 7.3 | 2026-05-11 | Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key metho… |
CVE-2025-9973 | Medium | 6.4 | 2026-05-11 | Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to b… |
CVE-2025-10503 | Medium | 6.1 | 2026-04-29 | The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This al… |
CVE-2024-0391 | Medium | 5.3 | 2026-05-11 | The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered us… |
CVE-2017-14651 | Medium | 4.8 | 2017-09-21 | WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or parentPath parameter. |