{“lastseen”:””,”description”:”An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment.\\n\\nSuccessful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.”,”published”:”2025-11-05T18:03:49.831Z”,”modified”:”2025-11-05T18:49:44.604Z”,”type”:”cve”,”title”:”Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Services Leading to Remote Code Execution”,”source”:”WSO2″,”references”:”https:\/\/security.docs.wso2.com\/en\/latest\/security-announcements\/security-advisories\/2025\/WSO2-2025-4603\/”,”id”:”CVE-2025-10907″,”bulletinFamily”:””,”cwe”:[“CWE-434″],”cvelist”:null,”sourceData”:”WSO2 WSO2 API Manager 3.1.0\\nWSO2 WSO2 API Manager 3.2.0\\nWSO2 WSO2 API Manager 3.2.1\\nWSO2 WSO2 API Manager 4.0.0\\nWSO2 WSO2 API Manager 4.1.0\\nWSO2 WSO2 API Manager 4.2.0\\nWSO2 WSO2 API Manager 4.3.0\\nWSO2 WSO2 API Manager 4.4.0\\nWSO2 WSO2 API Manager 4.5.0\\nWSO2 WSO2 Open Banking IAM 2.0.0\\nWSO2 WSO2 Open Banking AM 2.0.0\\nWSO2 WSO2 API Control Plane 4.5.0\\nWSO2 WSO2 Universal Gateway 4.5.0\\nWSO2 WSO2 Traffic Manager 4.5.0\\nWSO2 WSO2 Micro Integrator 4.0.0\\nWSO2 WSO2 Micro Integrator 4.1.0\\nWSO2 WSO2 Micro Integrator 4.2.0\\nWSO2 WSO2 Identity Server 5.10.0\\nWSO2 WSO2 Identity Server 5.11.0\\nWSO2 WSO2 Identity Server 6.0.0\\nWSO2 WSO2 Identity Server 6.1.0\\nWSO2 WSO2 Identity Server 7.0.0\\nWSO2 WSO2 Identity Server 7.1.0\\nWSO2 WSO2 Identity Server as Key Manager 5.10.0\\nWSO2 WSO2 Enterprise Integrator 6.6.0\\nWSO2 org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt 0.14.13\\nWSO2 org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt 0.14.16\\nWSO2 org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core 2.2.14\\nWSO2 org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core 2.2.17\\nWSO2 org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core 2.3.1\\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.30\\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.61\\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.99\\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.131\\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.175\\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.188\\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.204\\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.221\\nWSO2 org.wso2.carbon.mediation:org.wso2.carbon.mediation.library 4.7.245\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.9.15\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.10.1\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.10.9\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.1\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.3\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.7\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.14\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.17\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.module.mgt 4.11.18\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.10.1\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.10.9\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.1\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.3\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.7\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.14\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.17\\nWSO2 org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt 4.11.18\\nWSO2 org.apache.ws.commons.axiom.wso2:axiom 1.2.11\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.5.3\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.0\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.2\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.3\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.6.4\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.7.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.8.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.0\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.26\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.27\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.9.28\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.10.9\\nWSO2 org.wso2.carbon:org.wso2.carbon.base 4.10.42\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.5.3\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.0\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.2\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.3\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.6.4\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.7.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.8.1\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.0\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.26\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.27\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.9.28\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.10.9\\nWSO2 org.wso2.carbon:org.wso2.carbon.utils 4.10.42″,”sourceHref”:””,”cvss”:{“score”:8.4,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:A\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”WSO2 API Manager”,”version”:”0″,”vendor”:”WSO2″,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,74,12,15,13,7,11,5],"class_list":["post-24920","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-84","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n