CVE-2025-8154
HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.
| CWE | CWE-74 |
| Vendor | wso2 |
| Product | wso2 api manager |
| Published | May 11, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for wso2 wso2 api manager
Be the first to know when new medium vulnerabilities affecting wso2 wso2 api manager are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
WSO2 / WSO2 API Manager
4.1.0 < 4.1.0.218 4.2.0 < 4.2.0.164 4.3.0 < 4.3.0.74 4.4.0 < 4.4.0.38 4.5.0 < 4.5.0.20
WSO2 / WSO2 Universal Gateway
4.5.0 < 4.5.0.19
WSO2 / WSO2 Traffic Manager
4.5.0 < 4.5.0.19
WSO2 / WSO2 API Control Plane
4.5.0 < 4.5.0.21
WSO2 / WSO2 Carbon API Gateway
9.20.74 < 9.20.74.374 9.28.116 < 9.28.116.363 9.29.120 < 9.29.120.181 9.30.67 < 9.30.67.104 9.31.86 < 9.31.86.64
WSO2 / WSO2 Carbon API Management Implementation
9.20.74 < 9.20.74.374 9.28.116 < 9.28.116.363 9.29.120 < 9.29.120.181 9.30.67 < 9.30.67.104 9.31.86 < 9.31.86.64