CVE-2024-8010

LOW

XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files

Title source: cna

Description

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.

References (1)

[Vendor Advisory] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/

Scores

CVSS v3 3.5

EPSS 0.0001

EPSS Percentile 2.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (9)

wso2/api_manager 3.2.0 - 3.2.0.397

WSO2/WSO2 API Manager < 3.2.0

WSO2/WSO2 API Manager 3.2.0 - 3.2.0.397

WSO2/WSO2 API Manager 3.2.1 - 3.2.1.27

WSO2/WSO2 API Manager 4.0.0 - 4.0.0.310

WSO2/WSO2 API Manager 4.0.0 - 4.0.0.319

WSO2/WSO2 API Manager 4.1.0 - 4.1.0.171

WSO2/WSO2 API Manager 4.2.0 - 4.2.0.127

WSO2/WSO2 API Manager 4.3.0 - 4.3.0.39

Published Apr 16, 2026

Tracked Since Apr 16, 2026