CVE-2025-10503 - Vulnerability Details

- Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 Identity Server

Description

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting.

An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.

Published: 2026-04-29

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the authentication endpoint of WSO2 Identity Server, which accepts user input without enforcing validation constraints or output encoding, allowing attackers to inject malicious JavaScript payloads for reflected cross‑site scripting. The impact can include redirecting users to malicious sites, modifying page content, or exfiltrating data from the browser, but session hijacking is mitigated by httpOnly cookies. The likely attack vector is via crafted HTTP requests to the authentication endpoint, though the description does not explicitly state the network scope.

Affected Systems

WSO2 Identity Server is affected; no specific version information is provided by the CNA, so all released releases may be vulnerable until the patch is applied.

Risk and Exploitability

With a CVSS score of 6.1, the vulnerability is considered medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating limited known exploitation. The attack vector is remote, relying on the ability to submit crafted input to the authentication endpoint. The lack of session cookie hijacking reduces the overall damage potential, but the XSS payload can still manipulate user interactions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WSO2

WSO2 Identity Server

unaffected

Version	Status	Constraints
`7.1.0`	affected	< 7.1.0.28

No data.

Vendor Product Confidence Versions

Wso2

Wso2 Identity Server

95%

Version	Status	Scheme	Platform
`[7.1.0,7.1.0.28)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4577/#solution

OpenCVE Recommended Actions

Apply the official patch as detailed in the WSO2 security advisory.
Deploy the updated version of WSO2 Identity Server to all environments that expose the authentication endpoint.
Monitor and review authentication endpoint logs for any XSS injection attempts and enforce input validation and output encoding in custom implementations.

Generated by OpenCVE AI on April 29, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4577/

History

Wed, 29 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.
Title		Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 Identity Server
First Time appeared		Wso2 Wso2 wso2 Identity Server
Weaknesses		CWE-79
CPEs		cpe:2.3:a:wso2:wso2_identity_server::::::::
Vendors & Products		Wso2 Wso2 wso2 Identity Server
References		https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4577/
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Wso2 Wso2 Identity Server

MITRE

Status: PUBLISHED

Assigner: WSO2

Published: 2026-04-29T08:08:37.335Z

Updated: 2026-04-29T12:28:52.278Z

Reserved: 2025-09-16T04:58:57.289Z

Link: CVE-2025-10503

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-29T09:16:23.663

Modified: 2026-04-29T09:16:23.663

Link: CVE-2025-10503

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T09:30:07Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object