Description
The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application.

By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on session-related cookies, preventing session hijacking.
Published: 2026-07-06
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to inject malicious script into a page by passing crafted data through a URL parameter that the application reflects without proper output encoding. This results in a classic reflected Cross‑Site Scripting (XSS) attack, which can push the victim’s browser to a malicious site, alter page content, or read and transmit information from the user’s session. The vulnerability does not compromise authentication tokens directly because session cookies are protected with httpOnly flags, so the primary impact is client‑side manipulation and potential data theft rather than server‑side credential compromise.

Affected Systems

All variants of WSO2 API Control Plane, WSO2 API Manager, WSO2 Identity Server (including Key Manager), WSO2 Open Banking AM, WSO2 Open Banking IAM, WSO2 Traffic Manager, and WSO2 Universal Gateway are affected. No specific version range is listed, so any released version of these products prior to the advisory’s fix is considered vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the likelihood of widespread exploitation is uncertain, but reflected XSS is a well‑known attack method that can be automated. The most likely attack vector is through a maliciously crafted URL that a user might click or otherwise be exposed to, resulting in client‑side compromise and data leakage. The impact is limited to the victim who accesses the vulnerable page and does not inherently allow remote code execution on the server.

Generated by OpenCVE AI on July 6, 2026 at 16:57 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4343/#solution


OpenCVE Recommended Actions

  • Apply the vendor‑supplied fix by following the instructions on the WSO2 security advisory page.
  • Upgrade the affected WSO2 products to a version that includes the XSS patch if a direct patch is unavailable.
  • Implement input validation or output encoding for any URL parameters that are reflected back by the application as an added safeguard.

Generated by OpenCVE AI on July 6, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Wso2 api Control Plane
Wso2 api Manager
Wso2 identity Server
Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam
Wso2 traffic Manager
Wso2 universal Gateway
Vendors & Products Wso2 api Control Plane
Wso2 api Manager
Wso2 identity Server
Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam
Wso2 traffic Manager
Wso2 universal Gateway

Mon, 06 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on session-related cookies, preventing session hijacking.
Title Reflected Cross-Site Scripting via URL Parameter in Multiple WSO2 Products Enables UI Modification
First Time appeared Wso2
Wso2 wso2 Api Control Plane
Wso2 wso2 Api Manager
Wso2 wso2 Identity Server
Wso2 wso2 Identity Server As Key Manager
Wso2 wso2 Open Banking Am
Wso2 wso2 Open Banking Iam
Wso2 wso2 Traffic Manager
Wso2 wso2 Universal Gateway
Weaknesses CWE-79
CPEs cpe:2.3:a:wso2:wso2_api_control_plane:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_universal_gateway:*:*:*:*:*:*:*:*
Vendors & Products Wso2
Wso2 wso2 Api Control Plane
Wso2 wso2 Api Manager
Wso2 wso2 Identity Server
Wso2 wso2 Identity Server As Key Manager
Wso2 wso2 Open Banking Am
Wso2 wso2 Open Banking Iam
Wso2 wso2 Traffic Manager
Wso2 wso2 Universal Gateway
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Subscriptions

Wso2 Api Control Plane Api Manager Identity Server Identity Server As Key Manager Open Banking Am Open Banking Iam Traffic Manager Universal Gateway Wso2 Api Control Plane Wso2 Api Manager Wso2 Identity Server Wso2 Identity Server As Key Manager Wso2 Open Banking Am Wso2 Open Banking Iam Wso2 Traffic Manager Wso2 Universal Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-07-06T11:05:59.157Z

Reserved: 2025-08-05T11:53:15.931Z

Link: CVE-2025-8591

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')