Description
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser.

Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
Published: 2026-04-16
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The authentication endpoint does not enforce proper validation of user input and echoes it back to the client. This flaw allows an attacker to inject malicious scripts that are executed within the victim’s browser, enabling UI alteration, redirection to malicious sites, or extraction of sensitive data from the browser. The vulnerability is a classic reflected XSS flaw (CWE‑79). The impact is confined to confidentiality and integrity of data presented in the browser; session cookies are guarded with httpOnly, so session hijacking is not possible.

Affected Systems

WSO2 API Manager. No specific product version details are supplied in the advisory, so all installations of the product are potentially susceptible until a patch is applied.

Risk and Exploitability

The vulnerability has a CVSS score of 6.1, indicating moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited evidence of exploitation in the wild. The likely attack vector is remote via the exposed authentication endpoint, where an attacker supplies malicious input in the request parameters. Once the payload reaches the client, it runs with the privileges of the authenticated user in that session.

Generated by OpenCVE AI on April 17, 2026 at 03:26 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3741/#solution

OpenCVE Recommended Actions

  • Update WSO2 API Manager to the patched version following the official instructions at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3741/#solution
  • Ensure that all user-supplied input, especially on authentication endpoints, is properly sanitized or encoded before rendering
  • Deploy a Web Application Firewall or enable Content Security Policy headers to mitigate XSS attacks

Generated by OpenCVE AI on April 17, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wso2
Wso2 wso2 Api Manager
Vendors & Products Wso2
Wso2 wso2 Api Manager

Thu, 16 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
Title Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 API Manager Allows UI Modification and Redirection
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wso2 Wso2 Api Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-04-16T12:30:30.619Z

Reserved: 2024-10-22T10:00:06.524Z

Link: CVE-2024-10242

cve-icon Vulnrichment

Updated: 2026-04-16T12:19:57.655Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T10:16:12.790

Modified: 2026-04-17T15:38:09.243

Link: CVE-2024-10242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses