{“lastseen”:””,”description”:”A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. \\n\\n By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.”,”published”:”2026-02-19T10:05:06.083Z”,”modified”:”2026-02-19T10:05:06.083Z”,”type”:”cve”,”title”:”Authenticated arbitrary file upload via a System REST API requiring administrator permission.”,”source”:”WSO2″,”references”:”https:\/\/security.docs.wso2.com\/en\/latest\/security-announcements\/security-advisories\/2026\/WSO2-2025-4849\/”,”id”:”CVE-2025-13590″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”WSO2 WSO2 API Manager 4.2.0\\nWSO2 WSO2 API Manager 4.3.0\\nWSO2 WSO2 API Manager 4.4.0\\nWSO2 WSO2 API Manager 4.5.0\\nWSO2 WSO2 API Manager 4.6.0\\nWSO2 WSO2 API Control Plane 4.5.0\\nWSO2 WSO2 API Control Plane 4.6.0\\nWSO2 WSO2 Universal Gateway 4.5.0\\nWSO2 WSO2 Universal Gateway 4.6.0\\nWSO2 WSO2 Traffic Manager 4.5.0\\nWSO2 WSO2 Traffic Manager 4.6.0\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.28.116\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.29.120\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.30.67\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.31.86\\nWSO2 org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl 9.32.147″,”sourceHref”:””,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”WSO2 API Manager”,”version”:”0″,”vendor”:”WSO2″,”ai_description”:”Authenticated arbitrary file upload vulnerability via System REST API, potentially leading to remote code execution”,”ai_severity”:”Critical”,”ai_vendor”:”WSO2″,”ai_product”:”WSO2 API Manager, WSO2 API Control Plane, WSO2 Universal Gateway, WSO2 Traffic Manager”,”ai_version”:”4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 9.28.116, 9.29.120, 9.30.67, 9.31.86, 9.32.147″,”ai_score”:9.1}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[9,6,8,10,12,13,7,11,5],"class_list":["post-41610","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n