Authenticated arbitrary file upload via a System REST API requiring...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

AI Analysis

Authenticated arbitrary file upload vulnerability via System REST API, potentially leading to remote code execution

Basic Information

ID CVE-2025-13590

Source WSO2

Published Feb 19, 2026 at 10:05

Affected Product

Vendor WSO2

Product WSO2 API Manager

Affected Versions WSO2 WSO2 API Manager 4.2.0
WSO2 WSO2 API Manager 4.3.0
WSO2 WSO2 API Manager 4.4.0
WSO2 WSO2 API Manager 4.5.0
WSO2 WSO2 API Manager 4.6.0
WSO2 WSO2 API Control Plane 4.5.0
WSO2 WSO2 API Control Plane 4.6.0
WSO2 WSO2 Universal Gateway 4.5.0
WSO2 WSO2 Universal Gateway 4.6.0
WSO2 WSO2 Traffic Manager 4.5.0
WSO2 WSO2 Traffic Manager 4.6.0
WSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.28.116
WSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.29.120
WSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.30.67
WSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.31.86
WSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.32.147

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor WSO2

Product WSO2 API Manager, WSO2 API Control Plane, WSO2 Universal Gateway, WSO2 Traffic Manager

Version 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 9.28.116, 9.29.120, 9.30.67, 9.31.86, 9.32.147

References

security.docs.wso2.com /en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/

{
    "lastseen": "",
    "description": "A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. \n\n By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.",
    "published": "2026-02-19T10:05:06.083Z",
    "modified": "2026-02-19T10:05:06.083Z",
    "type": "cve",
    "title": "Authenticated arbitrary file upload via a System REST API requiring administrator permission.",
    "source": "WSO2",
    "references": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/",
    "id": "CVE-2025-13590",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "WSO2 WSO2 API Manager 4.2.0\nWSO2 WSO2 API Manager 4.3.0\nWSO2 WSO2 API Manager 4.4.0\nWSO2 WSO2 API Manager 4.5.0\nWSO2 WSO2 API Manager 4.6.0\nWSO2 WSO2 API Control Plane 4.5.0\nWSO2 WSO2 API Control Plane 4.6.0\nWSO2 WSO2 Universal Gateway 4.5.0\nWSO2 WSO2 Universal Gateway 4.6.0\nWSO2 WSO2 Traffic Manager 4.5.0\nWSO2 WSO2 Traffic Manager 4.6.0\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.28.116\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.29.120\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.30.67\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.31.86\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.32.147",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WSO2 API Manager",
    "version": "0",
    "vendor": "WSO2",
    "ai_description": "Authenticated arbitrary file upload vulnerability via System REST API, potentially leading to remote code execution",
    "ai_severity": "Critical",
    "ai_vendor": "WSO2",
    "ai_product": "WSO2 API Manager, WSO2 API Control Plane, WSO2 Universal Gateway, WSO2 Traffic Manager",
    "ai_version": "4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 9.28.116, 9.29.120, 9.30.67, 9.31.86, 9.32.147",
    "ai_score": 9.1
}

Authenticated arbitrary file upload via a System REST API requiring administrator permission._CVE-2025-13590