{“lastseen”:””,”description”:”In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses.\\n\\nBy exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.”,”published”:”2026-05-11T09:30:36.027Z”,”modified”:”2026-05-11T09:43:39.282Z”,”type”:”cve”,”title”:”HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation”,”source”:”WSO2″,”references”:”https:\/\/security.docs.wso2.com\/en\/latest\/security-announcements\/security-advisories\/2026\/WSO2-2025-4410\/”,”id”:”CVE-2025-8154″,”bulletinFamily”:””,”cwe”:[“CWE-74″],”cvelist”:null,”sourceData”:”WSO2 WSO2 API Manager 4.1.0\\nWSO2 WSO2 API Manager 4.2.0\\nWSO2 WSO2 API Manager 4.3.0\\nWSO2 WSO2 API Manager 4.4.0\\nWSO2 WSO2 API Manager 4.5.0\\nWSO2 WSO2 Universal Gateway 4.5.0\\nWSO2 WSO2 Traffic Manager 4.5.0\\nWSO2 WSO2 API Control Plane 4.5.0\\nWSO2 WSO2 Carbon API Gateway 9.20.74\\nWSO2 WSO2 Carbon API Gateway 9.28.116\\nWSO2 WSO2 Carbon API Gateway 9.29.120\\nWSO2 WSO2 Carbon API Gateway 9.30.67\\nWSO2 WSO2 Carbon API Gateway 9.31.86\\nWSO2 WSO2 Carbon API Management Implementation 9.20.74\\nWSO2 WSO2 Carbon API Management Implementation 9.28.116\\nWSO2 WSO2 Carbon API Management Implementation 9.29.120\\nWSO2 WSO2 Carbon API Management Implementation 9.30.67\\nWSO2 WSO2 Carbon API Management Implementation 9.31.86″,”sourceHref”:””,”cvss”:{“score”:5.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”WSO2 API Manager”,”version”:”0″,”vendor”:”WSO2″,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,22,12,21,13,7,11,5],"class_list":["post-52960","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-53","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n