CVE 5.3 MEDIUM

HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation_CVE-2025-8154

May 11, 2026 invoker category_cve
5.3 / 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses.

By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.

Basic Information

ID CVE-2025-8154
Source WSO2
Published May 11, 2026 at 09:30
Modified May 11, 2026 at 09:43

Affected Product

Vendor WSO2
Product WSO2 API Manager
Affected Versions WSO2 WSO2 API Manager 4.1.0
WSO2 WSO2 API Manager 4.2.0
WSO2 WSO2 API Manager 4.3.0
WSO2 WSO2 API Manager 4.4.0
WSO2 WSO2 API Manager 4.5.0
WSO2 WSO2 Universal Gateway 4.5.0
WSO2 WSO2 Traffic Manager 4.5.0
WSO2 WSO2 API Control Plane 4.5.0
WSO2 WSO2 Carbon API Gateway 9.20.74
WSO2 WSO2 Carbon API Gateway 9.28.116
WSO2 WSO2 Carbon API Gateway 9.29.120
WSO2 WSO2 Carbon API Gateway 9.30.67
WSO2 WSO2 Carbon API Gateway 9.31.86
WSO2 WSO2 Carbon API Management Implementation 9.20.74
WSO2 WSO2 Carbon API Management Implementation 9.28.116
WSO2 WSO2 Carbon API Management Implementation 9.29.120
WSO2 WSO2 Carbon API Management Implementation 9.30.67
WSO2 WSO2 Carbon API Management Implementation 9.31.86

CWE Classification

CWE-74

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.