WSO2
CVE Numbering Authority
Latest CVE published
Overview
WSO2 is a CVE Numbering Authority that has published 45 CVE records since 2023. It is currently classified as active, with 39 CVEs published in the last two years. Its CVE data quality is graded A (100% overall completeness).
Among the 370 CNAs tracked here, WSO2 ranks #176 by CVE volume and reports more complete records than 60% of all CNAs.
Data quality report card
How complete and consistent WSO2's CVE records are, scored across vendor, product, CVSS, and CWE coverage.
A CVE record only requires a description to be published. “Completeness” measures how often WSO2 also fills in the optional — but extremely useful — fields that make a vulnerability actually actionable: the affected vendor and product, a CVSS severity score, and a CWE weakness type. A higher score means more of this CNA’s CVEs include those details, so defenders spend less time enriching records by hand.
Report card grade
100%
Overall score
What these scores mean
- Vendor completeness
- The share of this CNA's CVEs that name an affected vendor.
- Product completeness
- The share that name a specific affected product.
- CVSS completeness
- The share that include a CVSS severity score.
- CWE completeness
- The share mapped to a CWE weakness type.
- Update rate
- How often this CNA revises CVE records after first publishing them.
- Vendor diversity
- How many distinct vendors this CNA publishes CVEs for.
Severity and exploitation
How the CVSS severity of WSO2's published CVEs breaks down, and how many are known to be exploited in the wild.
In CISA’s Known Exploited Vulnerabilities catalog
0
None of WSO2's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.
Common weakness types
The CWE weakness categories WSO2 most often assigns to its CVEs. Follow any weakness to its full explanation.
- CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')16 CVEs
- CWE-863Incorrect Authorization9 CVEs
- CWE-611Improper Restriction of XML External Entity Reference5 CVEs
- CWE-434Unrestricted Upload of File with Dangerous Type5 CVEs
- CWE-287Improper Authentication3 CVEs
- CWE-918Server-Side Request Forgery (SSRF)3 CVEs
- CWE-352Cross-Site Request Forgery (CSRF)2 CVEs
- CWE-290Authentication Bypass by Spoofing2 CVEs
Publishing activity by year
How many CVEs WSO2 has published each year.
Top vendors
The vendors WSO2 publishes the most CVEs for.
- WSO266 CVEs
- wso2-attic2 CVEs
Top products
The products WSO2 publishes the most CVEs for.
- WSO2 API Manager49 CVEs
- api manager48 CVEs
- identity server46 CVEs
- WSO2 Identity Server46 CVEs
- product-apim31 CVEs
- WSO2 Identity Server as Key Manager29 CVEs
- identity server as key manager29 CVEs
- WSO2 Open Banking IAM27 CVEs
Latest CVEs
The most recent CVEs assigned by WSO2.
- CVE-2026-4249CWE-707
Denial of Service via Malicious JSON Payloads in Throttling Events in Multiple WSO2 Products Causing Persistent Service Disruption
High · CVSS 8.6EPSS 0.3%2026-07-06 - CVE-2025-8591CWE-79
Reflected Cross-Site Scripting via URL Parameter in Multiple WSO2 Products Enables UI Modification
Medium · CVSS 6.1EPSS 0.2%2026-07-06 - CVE-2024-1248CWE-298
Role Overwriting via Silent JIT Provisioning in Multiple WSO2 Products Enables Privilege Escalation
Medium · CVSS 5.3EPSS 0.2%2026-07-04 - CVE-2025-13475CWE-288
Cross-Tenant Access via Application Consent Mismanagement in Multiple WSO2 Products Allows Unauthorized Data Exposure
High · CVSS 7.3EPSS 0.2%2026-07-04 - CVE-2026-2053CWE-918
Unauthenticated Server-Side Request Forgery via WS-Addressing in WSO2 API Manager
Critical · CVSS 10.0EPSS 0.2%2026-06-26 - CVE-2025-10470CWE-400
Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability
High · CVSS 8.6EPSS 0.3%2026-05-11 - CVE-2025-9973CWE-284
Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover
High · CVSS 7.2EPSS 0.4%2026-05-11 - CVE-2025-8325CWE-281
Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations
High · CVSS 8.8EPSS 0.2%2026-05-11 - CVE-2025-8154CWE-74
HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation
High · CVSS 7.5EPSS 0.2%2026-05-11 - CVE-2025-10908CWE-863
Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access
High · CVSS 7.3EPSS 0.2%2026-05-11 - CVE-2024-0391CWE-204
Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery
Medium · CVSS 5.3EPSS 0.2%2026-05-11 - CVE-2025-10503CWE-79
Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 Identity Server
Medium · CVSS 6.1EPSS 0.2%2026-04-29
Track new WSO2 CVEs as they are published and get AI-written analysis and remediation guidance.
Monitor WSO2 CVEsOther CNAs
Compare data quality across other CVE Numbering Authorities.
Frequently asked questions
Common questions about the WSO2 CNA.
- What is the WSO2 CNA?
- WSO2 is a CVE Numbering Authority (CNA) — an organization authorized to assign CVE IDs to vulnerabilities in its scope. It has published 45 CVE records since 2023.
- How many CVEs has WSO2 published?
- WSO2 has published 45 CVE records, including 39 in the last two years.
- What is WSO2's CVE data quality grade?
- RadicalNotion.AI grades WSO2's CVE data quality as A, with an overall completeness score of 100%. This reflects how consistently its CVE records include vendor (100%), product (100%), CVSS (100%), and CWE (100%) information.
- What products does WSO2 publish CVEs for?
- WSO2 most frequently publishes CVEs for WSO2 API Manager, api manager, identity server, WSO2 Identity Server, product-apim.
- Which vendors does WSO2 cover?
- WSO2 publishes CVEs across 1 distinct vendors, most often WSO2, wso2-attic.
- Is WSO2 actively publishing CVEs?
- WSO2 is currently active, based on 39 CVEs in the last two years.
- What is the average severity of WSO2's CVEs?
- The average CVSS base score across WSO2's scored CVEs is 6.3.
- How many critical CVEs has WSO2 published?
- WSO2 has published 10 critical-severity CVEs and 18 high-severity CVEs.
- Are any of WSO2's CVEs in CISA's Known Exploited Vulnerabilities catalog?
- No. None of WSO2's CVEs are currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- What are the most common weakness types in WSO2's CVEs?
- WSO2's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-863 (Incorrect Authorization), CWE-611 (Improper Restriction of XML External Entity Reference), CWE-434 (Unrestricted Upload of File with Dangerous Type).
- How does WSO2 rank among CNAs?
- By total CVE volume, WSO2 ranks #176 of 370 CNAs, and it reports more complete CVE records than 60% of all CNAs.
References
- Official CVE.org list of CNA partners (opens in a new tab)
- Learn: What is a CNA?
- CWE directory: the weakness types this CNA maps its CVEs to
CNA report-card grades are computed by RadicalNotion.AI from published CVE records. CVE data is sourced from the CVE Program.
Track WSO2 CVEs
Monitor new vulnerabilities as this CNA publishes them, with AI-written analysis and remediation guidance.