CVE-2025-13590

Authenticated arbitrary file upload via a System REST API requiring administrator permission.

Assigner: WSO2
Reserved: 24.11.2025 Published: 19.02.2026 Updated: 19.02.2026

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	WSO2
Product	WSO2 API Manager
Versions	Default: unaffected unknown from 0 to 4.2.0 (excl.) affected from 4.2.0 to 4.2.0.179 (excl.) affected from 4.3.0 to 4.3.0.91 (excl.) affected from 4.4.0 to 4.4.0.55 (excl.) affected from 4.5.0 to 4.5.0.38 (excl.) affected from 4.6.0 to 4.6.0.3 (excl.)

Vendor

WSO2

Product

WSO2 API Manager

Versions

Default: unaffected

unknown from 0 to 4.2.0 (excl.)
affected from 4.2.0 to 4.2.0.179 (excl.)
affected from 4.3.0 to 4.3.0.91 (excl.)
affected from 4.4.0 to 4.4.0.55 (excl.)
affected from 4.5.0 to 4.5.0.38 (excl.)
affected from 4.6.0 to 4.6.0.3 (excl.)

Vendor	WSO2
Product	WSO2 API Control Plane
Versions	Default: unaffected unknown from 0 to 4.5.0 (excl.) affected from 4.5.0 to 4.5.0.39 (excl.) affected from 4.6.0 to 4.6.0.3 (excl.)

Vendor

WSO2

Product

WSO2 API Control Plane

Versions

Default: unaffected

unknown from 0 to 4.5.0 (excl.)
affected from 4.5.0 to 4.5.0.39 (excl.)
affected from 4.6.0 to 4.6.0.3 (excl.)

Vendor	WSO2
Product	WSO2 Universal Gateway
Versions	Default: unaffected unknown from 0 to 4.5.0 (excl.) affected from 4.5.0 to 4.5.0.37 (excl.) affected from 4.6.0 to 4.6.0.3 (excl.)

Vendor

WSO2

Product

WSO2 Universal Gateway

Versions

Default: unaffected

unknown from 0 to 4.5.0 (excl.)
affected from 4.5.0 to 4.5.0.37 (excl.)
affected from 4.6.0 to 4.6.0.3 (excl.)

Vendor	WSO2
Product	WSO2 Traffic Manager
Versions	Default: unaffected unknown from 0 to 4.5.0 (excl.) affected from 4.5.0 to 4.5.0.37 (excl.) affected from 4.6.0 to 4.6.0.3 (excl.)

Vendor

WSO2

Product

WSO2 Traffic Manager

Versions

Default: unaffected

unknown from 0 to 4.5.0 (excl.)
affected from 4.5.0 to 4.5.0.37 (excl.)
affected from 4.6.0 to 4.6.0.3 (excl.)

Vendor	WSO2
Product	org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl
Versions	Default: unknown affected from 9.28.116 to 9.28.116.391 (excl.) affected from 9.29.120 to 9.29.120.210 (excl.) affected from 9.30.67 to 9.30.67.133 (excl.) affected from 9.31.86 to 9.31.86.100 (excl.) affected from 9.32.147 to 9.32.147.2 (excl.) unaffected from x to * (incl.)

Vendor

WSO2

Product

org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl

Versions

Default: unknown

affected from 9.28.116 to 9.28.116.391 (excl.)
affected from 9.29.120 to 9.29.120.210 (excl.)
affected from 9.30.67 to 9.30.67.133 (excl.)
affected from 9.31.86 to 9.31.86.100 (excl.)
affected from 9.32.147 to 9.32.147.2 (excl.)
unaffected from x to * (incl.)

Solutions

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/#solution

Credits

Thilan Dissanayaka finder

References

CVE-2025-13590 PUBLISHED

Authenticated arbitrary file upload via a System REST API requiring administrator permission.

Metrics

Product Status

Solutions

Credits

References