XXE in WSO2 API Manager Publisher via XML input
CVE-2024-8010 Published on April 16, 2026
XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.
By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
Vulnerability Analysis
Weakness Type
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2024-8010 has been classified to as a XXE vulnerability or weakness.
Products Associated with CVE-2024-8010
Want to know whenever a new CVE is published for Wso2 Api Manager? stack.watch will email you.
Affected Versions
WSO2 API Manager:- Before 3.2.0 is unknown.
- Version 3.2.0 and below 3.2.0.397 is affected.
- Version 3.2.1 and below 3.2.1.27 is affected.
- Version 4.0.0 and below 4.0.0.310 is affected.
- Version 4.0.0 and below 4.0.0.319 is affected.
- Version 4.1.0 and below 4.1.0.171 is affected.
- Version 4.2.0 and below 4.2.0.127 is affected.
- Version 4.3.0 and below 4.3.0.39 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.