Description
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.
Published: 2026-04-16
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting enabling redirects and information theft
Action: Immediate Patch
AI Analysis

Impact

The authentication endpoint in WSO2 products does not encode user‑supplied input before rendering it, creating a cross‑site scripting vulnerability. An attacker can embed malicious JavaScript into the endpoint, which the victim’s browser will execute. The script can redirect the user to a malicious site, alter the page’s user interface, or exfiltrate data stored in the browser. Session hijacking is not feasible because session cookies are protected with the httpOnly flag.

Affected Systems

The vulnerability affects WSO2 API Manager and WSO2 Identity Server. Specific product versions are not listed in the advisory, so all recent releases should be verified for a fix.

Risk and Exploitability

This issue carries a moderate CVSS score of 6.1, with an EPSS score of 0.0003 and has not yet been listed in the CISA KEV catalog. Because the flaw resides in a public authentication endpoint, exploitation is possible over the internet when a user visits or interacts with the vulnerable page. The attack required the victim’s browser to load the injected script, implying a user‑interaction component, but developers or attackers can craft malicious links to entice users. The absence of session cookie compromise limits the threat to client‑side damage and data theft rather than full account takeover.

Generated by OpenCVE AI on April 17, 2026 at 04:52 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4251/#solution

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch as described in the WSO2 advisory
  • Upgrade to the latest product release that includes the fix if the patch is not yet available
  • Configure a strict content‑security‑policy to restrict script execution on the authentication endpoint

Generated by OpenCVE AI on April 17, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wso2
Wso2 wso2 Api Manager
Wso2 wso2 Identity Server
Vendors & Products Wso2
Wso2 wso2 Api Manager
Wso2 wso2 Identity Server

Thu, 16 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.
Title Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wso2 Wso2 Api Manager Wso2 Identity Server
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-04-16T12:30:22.824Z

Reserved: 2025-06-12T09:23:00.709Z

Link: CVE-2025-6024

cve-icon Vulnrichment

Updated: 2026-04-16T12:19:55.303Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T10:16:14.243

Modified: 2026-04-17T15:38:09.243

Link: CVE-2025-6024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T05:00:05Z

Weaknesses