Description
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.

By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
Published: 2026-04-16
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach via arbitrary file read
Action: Immediate Patch
AI Analysis

Impact

A component in WSO2 API Manager accepts XML input on the publisher interface without disabling external entity resolution, enabling an attacker to craft XML that references external entities. When processed, the server resolves these entities, allowing the attacker to read any file accessible to the process and to make HTTP GET requests to local or remote resources. This leads to confidential data exposure and potential extraction of sensitive configuration files, thus violating the confidentiality of the system.

Affected Systems

The vulnerability affects WSO2 API Manager. Specific product versions are not listed in the advisory; administrators should consult the vendor’s documentation to determine which releases are impacted and apply the recommended fix.

Risk and Exploitability

The CVSS score of 3.5 indicates a low severity, and no EPSS score is available, implying limited public exploitation data. The vulnerability is not listed in the CISA KEV catalog, further suggesting a low exploitation likelihood. Based on the description, the attack vector is inferred to be an external network request to the publisher endpoint carrying a malicious XML payload. The potential impact is limited to file read capabilities rather than full code execution or denial of service.

Generated by OpenCVE AI on April 17, 2026 at 03:26 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/#solution

OpenCVE Recommended Actions

  • Apply the patch and configuration changes detailed by WSO2 on the advisory page linked above, which disable external entity resolution for the publisher input.
  • If a patch cannot be applied immediately, configure the application to reject or sanitize XML submissions that contain external entity references, effectively denying the exploit channel from the publisher endpoint.
  • Restrict network exposure of the publisher interface and enforce authentication to limit the attack surface, ensuring that only authorized users can submit XML payloads.

Generated by OpenCVE AI on April 17, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wso2 api Manager
Vendors & Products Wso2 api Manager

Thu, 16 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
Title XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files
First Time appeared Wso2
Wso2 wso2 Api Manager
Weaknesses CWE-611
CPEs cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*
Vendors & Products Wso2
Wso2 wso2 Api Manager
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wso2 Api Manager Wso2 Api Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-04-16T12:30:36.466Z

Reserved: 2024-08-20T12:45:54.123Z

Link: CVE-2024-8010

cve-icon Vulnrichment

Updated: 2026-04-16T12:19:59.812Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T10:16:14.050

Modified: 2026-04-17T15:38:09.243

Link: CVE-2024-8010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses