CVE-2024-8010
XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files
CVSS Score
3.5
EPSS Score
0.0%
EPSS Percentile
0th
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
| CWE | CWE-611 |
| Vendor | wso2 |
| Product | wso2 api manager |
| Published | Apr 16, 2026 |
| Last Updated | Apr 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for wso2 wso2 api manager
Be the first to know when new low vulnerabilities affecting wso2 wso2 api manager are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
WSO2 / WSO2 API Manager
3.2.0 < 3.2.0.397 3.2.1 < 3.2.1.27 4.0.0 < 4.0.0.310 4.0.0 < 4.0.0.319 4.1.0 < 4.1.0.171 4.2.0 < 4.2.0.127 4.3.0 < 4.3.0.39