{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11093", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "state": "PUBLISHED", "assignerShortName": "WSO2", "dateReserved": "2025-09-27T07:10:05.485Z", "datePublished": "2025-11-05T18:31:17.873Z", "dateUpdated": "2025-11-05T19:39:15.696Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WSO2 Micro Integrator", "vendor": "WSO2", "versions": [{"lessThan": "4.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "4.0.0.145", "status": "affected", "version": "4.0.0", "versionType": "custom"}, {"lessThan": "4.1.0.147", "status": "affected", "version": "4.1.0", "versionType": "custom"}, {"lessThan": "4.2.0.141", "status": "affected", "version": "4.2.0", "versionType": "custom"}, {"lessThan": "4.3.0.42", "status": "affected", "version": "4.3.0", "versionType": "custom"}, {"lessThan": "4.4.0.27", "status": "affected", "version": "4.4.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 API Manager", "vendor": "WSO2", "versions": [{"lessThan": "3.1.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "3.1.0.345", "status": "affected", "version": "3.1.0", "versionType": "custom"}, {"lessThan": "3.2.0.446", "status": "affected", "version": "3.2.0", "versionType": "custom"}, {"lessThan": "3.2.1.66", "status": "affected", "version": "3.2.1", "versionType": "custom"}, {"lessThan": "4.0.0.366", "status": "affected", "version": "4.0.0", "versionType": "custom"}, {"lessThan": "4.1.0.228", "status": "affected", "version": "4.1.0", "versionType": "custom"}, {"lessThan": "4.2.0.169", "status": "affected", "version": "4.2.0", "versionType": "custom"}, {"lessThan": "4.3.0.81", "status": "affected", "version": "4.3.0", "versionType": "custom"}, {"lessThan": "4.4.0.45", "status": "affected", "version": "4.4.0", "versionType": "custom"}, {"lessThan": "4.5.0.28", "status": "affected", "version": "4.5.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Enterprise Integrator", "vendor": "WSO2", "versions": [{"lessThan": "6.6.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "6.6.0.224", "status": "affected", "version": "6.6.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Universal Gateway", "vendor": "WSO2", "versions": [{"lessThan": "4.5.0.27", "status": "affected", "version": "4.5.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 API Control Plane", "vendor": "WSO2", "versions": [{"lessThan": "4.5.0.29", "status": "affected", "version": "4.5.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Traffic Manager", "vendor": "WSO2", "versions": [{"lessThan": "4.5.0.27", "status": "affected", "version": "4.5.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Open Banking IAM", "vendor": "WSO2", "versions": [{"lessThan": "2.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "2.0.0.414", "status": "affected", "version": "2.0.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Open Banking AM", "vendor": "WSO2", "versions": [{"lessThan": "2.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "2.0.0.394", "status": "affected", "version": "2.0.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Identity Server as Key Manager", "vendor": "WSO2", "versions": [{"lessThan": "5.10.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "5.10.0.365", "status": "affected", "version": "5.10.0", "versionType": "custom"}]}, {"defaultStatus": "unknown", "packageName": "org.apache.synapse:synapse-core", "product": "org.apache.synapse:synapse-core", "vendor": "WSO2", "versions": [{"lessThan": "2.1.7.wso2v227_99", "status": "affected", "version": "2.1.7.wso2v227", "versionType": "custom"}, {"lessThan": "2.1.7.wso2v271_88", "status": "affected", "version": "2.1.7.wso2v271", "versionType": "custom"}, {"lessThan": "2.1.7.wso2v143_121", "status": "affected", "version": "2.1.7.wso2v143", "versionType": "custom"}, {"lessThan": "2.1.7.wso2v319_13", "status": "affected", "version": "2.1.7.wso2v319", "versionType": "custom"}, {"lessThan": "2.1.7.wso2v183_72", "status": "affected", "version": "2.1.7.wso2v183", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v119_27", "status": "affected", "version": "4.0.0.wso2v119", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v20_93", "status": "affected", "version": "4.0.0.wso2v20", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v215_26", "status": "affected", "version": "4.0.0.wso2v215", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v218_1", "status": "affected", "version": "4.0.0.wso2v218", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v105_13", "status": "affected", "version": "4.0.0.wso2v105", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v131_5", "status": "affected", "version": "4.0.0.wso2v131", "versionType": "custom"}, {"lessThanOrEqual": "*", "status": "unaffected", "version": "4.0.0-wso2v254", "versionType": "custom"}]}, {"defaultStatus": "unknown", "packageName": "org.apache.synapse:synapse-extensions", "product": "org.apache.synapse:synapse-extensions", "vendor": "WSO2", "versions": [{"lessThan": "2.1.7.wso2v227_99", "status": "affected", "version": "2.1.7.wso2v227", "versionType": "custom"}, {"lessThan": "2.1.7.wso2v271_88", "status": "affected", "version": "2.1.7.wso2v271", "versionType": "custom"}, {"lessThan": "2.1.7.wso2v143_121", "status": "affected", "version": "2.1.7.wso2v143", "versionType": "custom"}, {"lessThan": "2.1.7.wso2v319_13", "status": "affected", "version": "2.1.7.wso2v319", "versionType": "custom"}, {"lessThan": "2.1.7.wso2v183_72", "status": "affected", "version": "2.1.7.wso2v183", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v119_27", "status": "affected", "version": "4.0.0.wso2v119", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v20_93", "status": "affected", "version": "4.0.0.wso2v20", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v215_26", "status": "affected", "version": "4.0.0.wso2v215", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v218_1", "status": "affected", "version": "4.0.0.wso2v218", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v105_13", "status": "affected", "version": "4.0.0.wso2v105", "versionType": "custom"}, {"lessThan": "4.0.0.wso2v131_5", "status": "affected", "version": "4.0.0.wso2v131", "versionType": "custom"}, {"lessThanOrEqual": "*", "status": "unaffected", "version": "4.0.0-wso2v254", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.145", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.1.0.147", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.2.0.141", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.3.0.42", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.0.27", "versionStartIncluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.1.0.345", "versionStartIncluding": "3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.2.0.446", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.2.1.66", "versionStartIncluding": "3.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.366", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.1.0.228", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.2.0.169", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.3.0.81", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.0.45", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.0.28", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.0.224", "versionStartIncluding": "6.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.0.27", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.0.29", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.0.27", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.0.0.414", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.0.0.394", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.0.365", "versionStartIncluding": "5.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.7.wso2v227_99", "versionStartIncluding": "2.1.7.wso2v227", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.7.wso2v271_88", "versionStartIncluding": "2.1.7.wso2v271", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.7.wso2v143_121", "versionStartIncluding": "2.1.7.wso2v143", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.7.wso2v319_13", "versionStartIncluding": "2.1.7.wso2v319", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.7.wso2v183_72", "versionStartIncluding": "2.1.7.wso2v183", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v119_27", "versionStartIncluding": "4.0.0.wso2v119", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v20_93", "versionStartIncluding": "4.0.0.wso2v20", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v215_26", "versionStartIncluding": "4.0.0.wso2v215", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v218_1", "versionStartIncluding": "4.0.0.wso2v218", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v105_13", "versionStartIncluding": "4.0.0.wso2v105", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v131_5", "versionStartIncluding": "4.0.0.wso2v131", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "versionEndIncluding": "*", "versionStartIncluding": "4.0.0-wso2v254", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.7.wso2v227_99", "versionStartIncluding": "2.1.7.wso2v227", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.7.wso2v271_88", "versionStartIncluding": "2.1.7.wso2v271", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.7.wso2v143_121", "versionStartIncluding": "2.1.7.wso2v143", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.7.wso2v319_13", "versionStartIncluding": "2.1.7.wso2v319", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.7.wso2v183_72", "versionStartIncluding": "2.1.7.wso2v183", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v119_27", "versionStartIncluding": "4.0.0.wso2v119", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v20_93", "versionStartIncluding": "4.0.0.wso2v20", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v215_26", "versionStartIncluding": "4.0.0.wso2v215", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v218_1", "versionStartIncluding": "4.0.0.wso2v218", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v105_13", "versionStartIncluding": "4.0.0.wso2v105", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.0.wso2v131_5", "versionStartIncluding": "4.0.0.wso2v131", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "versionEndIncluding": "*", "versionStartIncluding": "4.0.0-wso2v254", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "reporter", "value": "crnkovi\u0107"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.<br><br>By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.<br>"}], "value": "An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.\n\nBy default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2025-11-05T18:34:04.737Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution</span></a> <br>"}], "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution"}], "source": {"advisory": "WSO2-2025-4510", "discovery": "EXTERNAL"}, "title": "Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T19:14:13.042418Z", "id": "CVE-2025-11093", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T19:39:15.696Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11093", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-05T19:14:13.042418Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T19:18:22.245Z"}}], "cna": {"title": "Arbitrary Code Execution with higher privileged users in Multiple WSO2 Products via Script Mediator Engines (GraalJS and NashornJS)", "source": {"advisory": "WSO2-2025-4510", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "crnkovi\u0107"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WSO2", "product": "WSO2 Micro Integrator", "versions": [{"status": "unknown", "version": "0", "lessThan": "4.0.0", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.0.145", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.0.147", "versionType": "custom"}, {"status": "affected", "version": "4.2.0", "lessThan": "4.2.0.141", "versionType": "custom"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.0.42", "versionType": "custom"}, {"status": "affected", "version": "4.4.0", "lessThan": "4.4.0.27", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 API Manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "3.1.0", "versionType": "custom"}, {"status": "affected", "version": "3.1.0", "lessThan": "3.1.0.345", "versionType": "custom"}, {"status": "affected", "version": "3.2.0", "lessThan": "3.2.0.446", "versionType": "custom"}, {"status": "affected", "version": "3.2.1", "lessThan": "3.2.1.66", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.0.366", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.0.228", "versionType": "custom"}, {"status": "affected", "version": "4.2.0", "lessThan": "4.2.0.169", "versionType": "custom"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.0.81", "versionType": "custom"}, {"status": "affected", "version": "4.4.0", "lessThan": "4.4.0.45", "versionType": "custom"}, {"status": "affected", "version": "4.5.0", "lessThan": "4.5.0.28", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 Enterprise Integrator", "versions": [{"status": "unknown", "version": "0", "lessThan": "6.6.0", "versionType": "custom"}, {"status": "affected", "version": "6.6.0", "lessThan": "6.6.0.224", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 Universal Gateway", "versions": [{"status": "affected", "version": "4.5.0", "lessThan": "4.5.0.27", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 API Control Plane", "versions": [{"status": "affected", "version": "4.5.0", "lessThan": "4.5.0.29", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 Traffic Manager", "versions": [{"status": "affected", "version": "4.5.0", "lessThan": "4.5.0.27", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 Open Banking IAM", "versions": [{"status": "unknown", "version": "0", "lessThan": "2.0.0", "versionType": "custom"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.0.414", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 Open Banking AM", "versions": [{"status": "unknown", "version": "0", "lessThan": "2.0.0", "versionType": "custom"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.0.394", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "WSO2 Identity Server as Key Manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "5.10.0", "versionType": "custom"}, {"status": "affected", "version": "5.10.0", "lessThan": "5.10.0.365", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "WSO2", "product": "org.apache.synapse:synapse-core", "versions": [{"status": "affected", "version": "2.1.7.wso2v227", "lessThan": "2.1.7.wso2v227_99", "versionType": "custom"}, {"status": "affected", "version": "2.1.7.wso2v271", "lessThan": "2.1.7.wso2v271_88", "versionType": "custom"}, {"status": "affected", "version": "2.1.7.wso2v143", "lessThan": "2.1.7.wso2v143_121", "versionType": "custom"}, {"status": "affected", "version": "2.1.7.wso2v319", "lessThan": "2.1.7.wso2v319_13", "versionType": "custom"}, {"status": "affected", "version": "2.1.7.wso2v183", "lessThan": "2.1.7.wso2v183_72", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v119", "lessThan": "4.0.0.wso2v119_27", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v20", "lessThan": "4.0.0.wso2v20_93", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v215", "lessThan": "4.0.0.wso2v215_26", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v218", "lessThan": "4.0.0.wso2v218_1", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v105", "lessThan": "4.0.0.wso2v105_13", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v131", "lessThan": "4.0.0.wso2v131_5", "versionType": "custom"}, {"status": "unaffected", "version": "4.0.0-wso2v254", "versionType": "custom", "lessThanOrEqual": "*"}], "packageName": "org.apache.synapse:synapse-core", "defaultStatus": "unknown"}, {"vendor": "WSO2", "product": "org.apache.synapse:synapse-extensions", "versions": [{"status": "affected", "version": "2.1.7.wso2v227", "lessThan": "2.1.7.wso2v227_99", "versionType": "custom"}, {"status": "affected", "version": "2.1.7.wso2v271", "lessThan": "2.1.7.wso2v271_88", "versionType": "custom"}, {"status": "affected", "version": "2.1.7.wso2v143", "lessThan": "2.1.7.wso2v143_121", "versionType": "custom"}, {"status": "affected", "version": "2.1.7.wso2v319", "lessThan": "2.1.7.wso2v319_13", "versionType": "custom"}, {"status": "affected", "version": "2.1.7.wso2v183", "lessThan": "2.1.7.wso2v183_72", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v119", "lessThan": "4.0.0.wso2v119_27", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v20", "lessThan": "4.0.0.wso2v20_93", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v215", "lessThan": "4.0.0.wso2v215_26", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v218", "lessThan": "4.0.0.wso2v218_1", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v105", "lessThan": "4.0.0.wso2v105_13", "versionType": "custom"}, {"status": "affected", "version": "4.0.0.wso2v131", "lessThan": "4.0.0.wso2v131_5", "versionType": "custom"}, {"status": "unaffected", "version": "4.0.0-wso2v254", "versionType": "custom", "lessThanOrEqual": "*"}], "packageName": "org.apache.synapse:synapse-extensions", "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/#solution</span></a> <br>", "base64": false}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.\n\nBy default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.", "supportingMedia": [{"type": "text/html", "value": "An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.<br><br>By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.145", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.1.0.147", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.2.0.141", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.3.0.42", "versionStartIncluding": "4.3.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_micro_integrator:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.4.0.27", "versionStartIncluding": "4.4.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.1.0.345", "versionStartIncluding": "3.1.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.2.0.446", "versionStartIncluding": "3.2.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.2.1.66", "versionStartIncluding": "3.2.1"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.366", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.1.0.228", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.2.0.169", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.3.0.81", "versionStartIncluding": "4.3.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.4.0.45", "versionStartIncluding": "4.4.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.5.0.28", "versionStartIncluding": "4.5.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_enterprise_integrator:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.0.224", "versionStartIncluding": "6.6.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.5.0.27", "versionStartIncluding": "4.5.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.5.0.29", "versionStartIncluding": "4.5.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.5.0.27", "versionStartIncluding": "4.5.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.0.0.414", "versionStartIncluding": "2.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.0.0.394", "versionStartIncluding": "2.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.0.365", "versionStartIncluding": "5.10.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.7.wso2v227_99", "versionStartIncluding": "2.1.7.wso2v227"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.7.wso2v271_88", "versionStartIncluding": "2.1.7.wso2v271"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.7.wso2v143_121", "versionStartIncluding": "2.1.7.wso2v143"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.7.wso2v319_13", "versionStartIncluding": "2.1.7.wso2v319"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.7.wso2v183_72", "versionStartIncluding": "2.1.7.wso2v183"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v119_27", "versionStartIncluding": "4.0.0.wso2v119"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v20_93", "versionStartIncluding": "4.0.0.wso2v20"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v215_26", "versionStartIncluding": "4.0.0.wso2v215"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v218_1", "versionStartIncluding": "4.0.0.wso2v218"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v105_13", "versionStartIncluding": "4.0.0.wso2v105"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v131_5", "versionStartIncluding": "4.0.0.wso2v131"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-core:*:*:*:*:*:*:*:*", "vulnerable": false, "versionEndIncluding": "*", "versionStartIncluding": "4.0.0-wso2v254"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.7.wso2v227_99", "versionStartIncluding": "2.1.7.wso2v227"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.7.wso2v271_88", "versionStartIncluding": "2.1.7.wso2v271"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.7.wso2v143_121", "versionStartIncluding": "2.1.7.wso2v143"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.7.wso2v319_13", "versionStartIncluding": "2.1.7.wso2v319"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.7.wso2v183_72", "versionStartIncluding": "2.1.7.wso2v183"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v119_27", "versionStartIncluding": "4.0.0.wso2v119"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v20_93", "versionStartIncluding": "4.0.0.wso2v20"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v215_26", "versionStartIncluding": "4.0.0.wso2v215"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v218_1", "versionStartIncluding": "4.0.0.wso2v218"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v105_13", "versionStartIncluding": "4.0.0.wso2v105"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.wso2v131_5", "versionStartIncluding": "4.0.0.wso2v131"}, {"criteria": "cpe:2.3:a:wso2:org.apache.synapse_synapse-extensions:*:*:*:*:*:*:*:*", "vulnerable": false, "versionEndIncluding": "*", "versionStartIncluding": "4.0.0-wso2v254"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2025-11-05T18:34:04.737Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11093", "state": "PUBLISHED", "dateUpdated": "2025-11-05T19:39:15.696Z", "dateReserved": "2025-09-27T07:10:05.485Z", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "datePublished": "2025-11-05T18:31:17.873Z", "assignerShortName": "WSO2"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*", "matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:micro_integrator:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "9DA583F2-EBE8-4E32-9A26-F9C5631458E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:micro_integrator:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "94843455-1DEB-43A4-969E-8B93EF7FCE2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:micro_integrator:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "686838FC-A05F-4FF8-A599-B09F41BB6F0B", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:micro_integrator:4.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "3A026ACD-89F5-44D1-AF90-7C8BC727D1F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:micro_integrator:4.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "1FD63BA4-3B7D-4348-993A-A720321F07EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "C7413107-D7B2-49AE-AC46-52E7BFCD6ED8", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "61636553-C25E-44DF-93D7-EB3E1056D1DC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment.\n\nBy default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment."}], "id": "CVE-2025-11093", "lastModified": "2025-12-04T21:09:03.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-11-05T19:15:49.900", "references": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "tags": ["Vendor Advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4510/"}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}]}

{}

{"created": "2025-11-06T10:06:47.108821+00:00", "updated": "2025-11-06T10:06:47.108843+00:00", "vendors": ["wso2", "wso2$PRODUCT$api_manager", "wso2$PRODUCT$enterprise_integrator", "wso2$PRODUCT$micro_integrator"]}