CVE-2025-13590
HIGH WAF: Medium
CVSS 7.2
Published: 2026-02-19
CWE-434
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| wso2 | api_control_plane | 4.5.0 |
| wso2 | api_control_plane | 4.6.0 |
| wso2 | api_manager | 4.2.0 |
| wso2 | api_manager | 4.3.0 |
| wso2 | api_manager | 4.4.0 |
| wso2 | api_manager | 4.5.0 |
| wso2 | api_manager | 4.6.0 |
| wso2 | traffic_manager | 4.5.0 |
| wso2 | traffic_manager | 4.6.0 |
| wso2 | universal_gateway | 4.5.0 |
References
- security.docs.wso2.com (Vendor Advisory)