Vulnerability Database

324,311

Total vulnerabilities in the database

CVE-2025-13590

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

Published: Feb 19, 2026
Updated: Feb 20, 2026
CVE: CVE-2025-13590
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-434

Affected Software
References

Software	From	Fixed in
wso2 / api_control_plane	4.5.0	4.5.0.x
wso2 / api_control_plane	4.6.0	4.6.0.x
wso2 / api_manager	4.2.0	4.2.0.x
wso2 / api_manager	4.3.0	4.3.0.x
wso2 / api_manager	4.4.0	4.4.0.x
wso2 / api_manager	4.5.0	4.5.0.x
wso2 / api_manager	4.6.0	4.6.0.x
wso2 / traffic_manager	4.5.0	4.5.0.x
wso2 / traffic_manager	4.6.0	4.6.0.x
wso2 / universal_gateway	4.5.0	4.5.0.x
wso2 / universal_gateway	4.6.0	4.6.0.x

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo