CVE-2025-13590

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. 

 By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
WSO2CNA
9.1 CRITICAL
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Affected Products (NVD)
VendorProductVersion
wso2api_control_plane
4.5.0
wso2api_control_plane
4.6.0
wso2api_manager
4.2.0
wso2api_manager
4.3.0
wso2api_manager
4.4.0
wso2api_manager
4.5.0
wso2api_manager
4.6.0
wso2traffic_manager
4.5.0
wso2traffic_manager
4.6.0
wso2universal_gateway
4.5.0
wso2universal_gateway
4.6.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/