216.73.217.22

CVE-2025-13590

· Published 19/02/2026 10:16 · Modified 20/02/2026 21:19

Labels: CVE-2025-13590 2026-02-19CVE-2025-13590CWE-434NVD-CWE-noinfoed10eef1-636d-4fbe-9993-6890dfa878f8

Essential information

Published
19/02/2026 10:16
Modified
20/02/2026 21:19
Author
Creator
CVSS
9.1 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS metrics

Description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

NVD status

Status
Modified — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Source
ed10eef1-636d-4fbe-9993-6890dfa878f8
NVD
View on NVD

Affected products (CPE)

ProductCPE
wso2 / api control plane cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*
wso2 / api control plane cpe:2.3:a:wso2:api_control_plane:4.6.0:-:*:*:*:*:*:*
wso2 / api manager cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*
wso2 / api manager cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*
wso2 / api manager cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*
wso2 / api manager cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*
wso2 / api manager cpe:2.3:a:wso2:api_manager:4.6.0:-:*:*:*:*:*:*
wso2 / traffic manager cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*
wso2 / traffic manager cpe:2.3:a:wso2:traffic_manager:4.6.0:*:*:*:*:*:*:*
wso2 / universal gateway cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*
wso2 / universal gateway cpe:2.3:a:wso2:universal_gateway:4.6.0:*:*:*:*:*:*:*

References