CVE-2025-13590

CRITICAL

Deployment - RCE via File Upload

Title source: llm

Description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

References (1)

[Various Sources] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/

Scores

CVSS v3 9.1

EPSS 0.0011

EPSS Percentile 28.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (12)

org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.impl 0 - 9.32.167Maven

wso2/api_control_plane 4.5.0

wso2/api_control_plane 4.6.0

wso2/api_manager 4.2.0

wso2/api_manager 4.3.0

wso2/api_manager 4.4.0

wso2/api_manager 4.5.0

wso2/api_manager 4.6.0

wso2/traffic_manager 4.5.0

wso2/traffic_manager 4.6.0

... and 2 more

Published Feb 19, 2026

Tracked Since Feb 19, 2026