Wso2 Wso2 Identity Server
43 CVEs affecting Wso2 Wso2 Identity Server. Latest disclosed: 2026-05-11. Critical: 4, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-9312 | Critical | 9.8 | 2025-11-18 | A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 p… |
CVE-2025-10611 | Critical | 9.8 | 2025-10-16 | Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed… |
CVE-2024-6914 | Critical | 9.8 | 2025-05-22 | An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A ma… |
CVE-2025-9804 | Critical | 9.6 | 2025-10-16 | An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services an… |
CVE-2025-6670 | High | 8.8 | 2025-11-18 | A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within a… |
CVE-2025-10470 | High | 8.6 | 2026-05-11 | The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled… |
CVE-2023-6837 | High | 8.5 | 2023-12-15 | Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any imp… |
CVE-2025-12107 | High | 8.4 | 2026-02-19 | Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax wi… |
CVE-2025-10907 | High | 8.4 | 2025-11-05 | An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin servic… |
CVE-2024-1524 | High | 7.7 | 2026-02-24 | When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's informat… |
CVE-2024-2374 | High | 7.5 | 2026-04-16 | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This o… |
CVE-2025-10908 | High | 7.3 | 2026-05-11 | Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key metho… |
CVE-2025-0663 | Medium | 6.8 | 2025-09-23 | A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptogr… |
CVE-2025-3125 | Medium | 6.7 | 2025-11-05 | An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An au… |
CVE-2025-1862 | Medium | 6.7 | 2025-09-26 | An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in the BPEL uploader SOAP service… |
CVE-2025-10713 | Medium | 6.5 | 2025-11-05 | An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-suppli… |
CVE-2024-7073 | Medium | 6.5 | 2025-06-02 | A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin services. This flaw allows u… |
CVE-2025-9973 | Medium | 6.4 | 2026-05-11 | Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to b… |
CVE-2025-10503 | Medium | 6.1 | 2026-04-29 | The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This al… |
CVE-2025-6024 | Medium | 6.1 | 2026-04-16 | The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage th… |