CVE-2025-8154

MEDIUM

HTTP Header Injection via Webhook API in Multiple WSO2 Products Allows Response Header Manipulation

Title source: cna

Description

In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/

Scores

CVSS v3 5.3

EPSS 0.0019

EPSS Percentile 8.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-74

Status published

Products (25)

wso2/api_control_plane 4.5.0 - 4.5.0.21

wso2/api_manager 4.1.0 - 4.1.0.218

wso2/traffic_manager 4.5.0 - 4.5.0.19

wso2/universal_gateway 4.5.0 - 4.5.0.19

WSO2/WSO2 API Control Plane 4.5.0 - 4.5.0.21

WSO2/WSO2 API Manager < 4.1.0

WSO2/WSO2 API Manager 4.1.0 - 4.1.0.218

WSO2/WSO2 API Manager 4.2.0 - 4.2.0.164

WSO2/WSO2 API Manager 4.3.0 - 4.3.0.74

WSO2/WSO2 API Manager 4.4.0 - 4.4.0.38

... and 15 more

Published May 11, 2026

Tracked Since May 11, 2026