CVE-2024-8010
LOWXML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files
Title source: cnaDescription
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/
Scores
CVSS v3
3.5
EPSS
0.0027
EPSS Percentile
18.8%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (9)
wso2/api_manager
3.2.0 - 3.2.0.397
WSO2/WSO2 API Manager
< 3.2.0
WSO2/WSO2 API Manager
3.2.0 - 3.2.0.397
WSO2/WSO2 API Manager
3.2.1 - 3.2.1.27
WSO2/WSO2 API Manager
4.0.0 - 4.0.0.310
WSO2/WSO2 API Manager
4.0.0 - 4.0.0.319
WSO2/WSO2 API Manager
4.1.0 - 4.1.0.171
WSO2/WSO2 API Manager
4.2.0 - 4.2.0.127
WSO2/WSO2 API Manager
4.3.0 - 4.3.0.39
Published
Apr 16, 2026
Tracked Since
Apr 16, 2026