CVE-2025-10907 | WSO2 API Manager SOAP Admin Service unrestricted upload

A vulnerability, which was classified as critical, was found in WSO2 API Manager, Open Banking IAM, Open Banking AM, API Control Plane, Universal Gateway, Traffic Manager, Micro Integrator, Identity Server, Identity Server as Key Manager, Enterprise Integrator, org.jaggeryjs:org.jaggeryjs.jaggery.app.mgt, org.wso2.carbon.event-processing:org.wso2.carbon.event.simulator.core, org.wso2.carbon.mediation:org.wso2.carbon.mediation.library, org.wso2.carbon.deployment:org.wso2.carbon.module.mgt, org.wso2.carbon.deployment:org.wso2.carbon.webapp.mgt, org.apache.ws.commons.axiom.wso2:axiom, org.wso2.carbon:org.wso2.carbon.base and org.wso2.carbon:org.wso2.carbon.utils. This vulnerability affects unknown code of the component SOAP Admin Service. Executing manipulation can lead to unrestricted upload.

This vulnerability is tracked as CVE-2025-10907. The attack is only possible within the local network. No exploit exists.

You should upgrade the affected component.VulDB Recent EntriesRead More