CVE-2024-2374

HIGH 7.5

XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.

CWE	CWE-611
Vendor	wso2
Product	wso2 api manager
Published	Apr 16, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for wso2 wso2 api manager

Be the first to know when new high vulnerabilities affecting wso2 wso2 api manager are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

WSO2 / WSO2 API Manager

3.1.0 < 3.1.0.278 3.2.0 < 3.2.0.368 4.0.0 < 4.0.0.280 4.1.0 < 4.1.0.206 4.2.0 < 4.2.0.144 4.3.0 < 4.3.0.57

WSO2 / WSO2 Identity Server

5.10.0 < 5.10.0.300 5.11.0 < 5.11.0.329 6.0.0 < 6.0.0.179 6.1.0 < 6.1.0.136

WSO2 / WSO2 Open Banking AM

2.0.0 < 2.0.0.328

WSO2 / WSO2 Open Banking IAM

2.0.0 < 2.0.0.348

WSO2 / WSO2 Identity Server as Key Manager

5.10.0 < 5.10.0.296

References

NVD ↗ CVE.org ↗ EPSS Data ↗

security.docs.wso2.com: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/