WSO2 Mgt Console Reflected XSS via Improper Output Encoding
CVE-2025-10853 Published on November 5, 2025

Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

Vendor Advisory NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2025-10853 has been classified to as a XSS vulnerability or weakness.

Products Associated with CVE-2025-10853

Want to know whenever a new CVE is published for Wso2 products? stack.watch will email you.

Wso2 Open Banking Iam

Wso2 Api Manager

Wso2 Identity Server

Wso2 Open Banking Am

Wso2 Identity Server As Key Manager

Wso2 Enterprise Integrator

Wso2 Api Control Plane

Wso2 Universal Gateway

Wso2 Traffic Manager

Org Wso2 Carbon Registry Org Wso2 Carbon Registry Info Ui

Org Wso2 Carbon Registry Org Wso2 Carbon Registry Resource Ui

Org Wso2 Carbon Governance Org Wso2 Carbon Governance Wsdltool Ui

Org Wso2 Carbon Identity Inbound Auth Oauth2 Org Wso2 Carbon Identity Oauth Ui

Affected Versions

WSO2 Open Banking IAM:

Before 2.0.0 is unknown.
Version 2.0.0 and below 2.0.0.413 is affected.

WSO2 API Manager:

Before 3.1.0 is unknown.
Version 3.1.0 and below 3.1.0.344 is affected.
Version 3.2.0 and below 3.2.0.445 is affected.
Version 3.2.1 and below 3.2.1.65 is affected.
Version 4.0.0 and below 4.0.0.365 is affected.
Version 4.1.0 and below 4.1.0.227 is affected.
Version 4.2.0 and below 4.2.0.167 is affected.
Version 4.3.0 and below 4.3.0.79 is affected.
Version 4.4.0 and below 4.4.0.43 is affected.
Version 4.5.0 and below 4.5.0.26 is affected.

WSO2 Identity Server:

Before 5.10.0 is unknown.
Version 5.10.0 and below 5.10.0.373 is affected.
Version 5.11.0 and below 5.11.0.417 is affected.
Version 6.0.0 and below 6.0.0.247 is affected.
Version 6.1.0 and below 6.1.0.246 is affected.
Version 7.0.0 and below 7.0.0.122 is affected.
Version 7.1.0 and below 7.1.0.29 is affected.

WSO2 Open Banking AM:

Before 2.0.0 is unknown.
Version 2.0.0 and below 2.0.0.393 is affected.

WSO2 Identity Server as Key Manager:

Before 5.10.0 is unknown.
Version 5.10.0 and below 5.10.0.363 is affected.

WSO2 Enterprise Integrator:

Before 6.6.0 is unknown.
Version 6.6.0 and below 6.6.0.223 is affected.

WSO2 API Control Plane:

Version 4.5.0 and below 4.5.0.27 is affected.

WSO2 Universal Gateway:

Version 4.5.0 and below 4.5.0.25 is affected.

WSO2 Traffic Manager:

Version 4.5.0 and below 4.5.0.25 is affected.

org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui:

Version 4.7.32 and below 4.7.32.14 is affected.
Version 4.7.35 and below 4.7.35.11 is affected.
Version 4.7.39 and below 4.7.39.9 is affected.
Version 4.7.51 and below 4.7.51.4 is affected.
Version 4.8.3 and below 4.8.3.9 is affected.
Version 4.8.13 and below 4.8.13.6 is affected.
Version 4.8.32 and below 4.8.32.3 is affected.
Version 4.8.36 and below 4.8.36.1 is affected.
Version 4.8.43 and below 4.8.43.1 is affected.
Version 4.8.47, <= * is unaffected.

org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui:

Version 4.7.24 and below 4.7.24.7 is affected.
Version 4.7.32 and below 4.7.32.14 is affected.
Version 4.7.33 and below 4.7.33.13 is affected.
Version 4.7.35 and below 4.7.35.11 is affected.
Version 4.7.39 and below 4.7.39.9 is affected.
Version 4.7.51 and below 4.7.51.4 is affected.
Version 4.8.3 and below 4.8.3.9 is affected.
Version 4.8.9 and below 4.8.9.5 is affected.
Version 4.8.12 and below 4.8.12.5 is affected.
Version 4.8.13 and below 4.8.13.6 is affected.
Version 4.8.24 and below 4.8.24.3 is affected.
Version 4.8.32 and below 4.8.32.3 is affected.
Version 4.8.36 and below 4.8.36.1 is affected.
Version 4.8.43 and below 4.8.43.1 is affected.
Version 4.8.47, <= * is unaffected.

org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui:

Version 4.8.19 and below 4.8.19.5 is affected.
Version 4.8.21 and below 4.8.21.9 is affected.
Version 4.8.28 and below 4.8.28.3 is affected.
Version 4.8.30 and below 4.8.30.3 is affected.
Version 4.8.32 and below 4.8.32.1 is affected.
Version 4.8.33 and below 4.8.33.3 is affected.
Version 4.8.34 and below 4.8.34.3 is affected.
Version 4.8.35, <= * is affected.

org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui:

Version 6.4.2 and below 6.4.2.165 is affected.
Version 6.4.111 and below 6.4.111.155 is affected.
Version 6.4.176 and below 6.4.176.28 is affected.
Version 6.4.180 and below 6.4.180.12 is affected.
Version 6.9.6 and below 6.9.6.26 is affected.
Version 6.13.16 and below 6.13.16.19 is affected.
Version 6.13.19 and below 6.13.19.12 is affected.
Version 6.13.27 and below 6.13.27.5 is affected.
Version 6.13.38, <= 6.13.* is unaffected.
Version 7.0.349, <= * is unaffected.

Exploit Probability

EPSS

0.03%

Percentile

7.54%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.