Vulnerability Details CVE-2025-13590
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.9%
CVSS Severity
CVSS v3 Score 9.1
Products affected by CVE-2025-13590
-
cpe:2.3:a:wso2:api_control_plane:4.5.0
-
cpe:2.3:a:wso2:api_control_plane:4.6.0
-
cpe:2.3:a:wso2:api_manager:4.2.0
-
cpe:2.3:a:wso2:api_manager:4.3.0
-
cpe:2.3:a:wso2:api_manager:4.4.0
-
cpe:2.3:a:wso2:api_manager:4.5.0
-
cpe:2.3:a:wso2:api_manager:4.6.0
-
cpe:2.3:a:wso2:traffic_manager:4.5.0
-
cpe:2.3:a:wso2:traffic_manager:4.6.0
-
cpe:2.3:a:wso2:universal_gateway:4.5.0
-
cpe:2.3:a:wso2:universal_gateway:4.6.0