CVE-2025-13590

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wso2:api_control_plane:4.5.0:-::::::
	cpe:2.3:a:wso2:api_control_plane:4.6.0:-::::::
	cpe:2.3:a:wso2:api_manager:4.2.0:-::::::
	cpe:2.3:a:wso2:api_manager:4.3.0:-::::::
	cpe:2.3:a:wso2:api_manager:4.4.0:-::::::
	cpe:2.3:a:wso2:api_manager:4.5.0:-::::::
	cpe:2.3:a:wso2:api_manager:4.6.0:-::::::
	cpe:2.3:a:wso2:traffic_manager:4.5.0:::::::*
	cpe:2.3:a:wso2:traffic_manager:4.6.0:::::::*
	cpe:2.3:a:wso2:universal_gateway:4.5.0:::::::*
	cpe:2.3:a:wso2:universal_gateway:4.6.0:::::::*

History

No history.

Information

Published : 2026-02-19 10:16

Updated : 2026-02-20 21:19

NVD link : CVE-2025-13590

Mitre link : CVE-2025-13590

CVE.ORG link : CVE-2025-13590

JSON object : View

Products Affected

wso2

universal_gateway
api_manager
traffic_manager
api_control_plane

CWE

NVD-CWE-noinfo CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-13590", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2026-02-19T10:16:11.003", "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/", "tags": ["Vendor Advisory"], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. \n\n By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload."}, {"lang": "es", "value": "Un actor malicioso con privilegios administrativos puede cargar un archivo arbitrario a una ubicaci\u00f3n controlada por el usuario dentro del despliegue a trav\u00e9s de una API REST del sistema. Las cargas exitosas pueden conducir a la ejecuci\u00f3n remota de c\u00f3digo.\n\nAl explotar la vulnerabilidad, un actor malicioso puede realizar ejecuci\u00f3n remota de c\u00f3digo al cargar una carga \u00fatil especialmente dise\u00f1ada."}], "lastModified": "2026-02-20T21:19:23.787", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680"}, {"criteria": "cpe:2.3:a:wso2:api_control_plane:4.6.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95D688C7-D22B-4CF9-A522-1ADB71D2B7C7"}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572"}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C"}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9"}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1"}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.6.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD918BEC-B79C-45F1-9E44-7276BFD49B96"}, {"criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8"}, {"criteria": "cpe:2.3:a:wso2:traffic_manager:4.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "933BA5C3-F145-498F-AF06-75CB9EE88046"}, {"criteria": "cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "61636553-C25E-44DF-93D7-EB3E1056D1DC"}, {"criteria": "cpe:2.3:a:wso2:universal_gateway:4.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E189CD5B-E7D2-48B8-AFAD-9D9CDE6F8BBA"}], "operator": "OR"}]}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}