CVE-2025-13590 - Vulnerability Details - OpenCVE

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00207.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/

History

Thu, 19 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
Title		Authenticated arbitrary file upload via a System REST API requiring administrator permission.
References		https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: WSO2

Published: 2026-02-19T10:05:06.083Z

Updated: 2026-02-19T10:05:06.083Z

Reserved: 2025-11-24T05:01:57.688Z

Link: CVE-2025-13590

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13590", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "state": "PUBLISHED", "assignerShortName": "WSO2", "dateReserved": "2025-11-24T05:01:57.688Z", "datePublished": "2026-02-19T10:05:06.083Z", "dateUpdated": "2026-02-19T10:05:06.083Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WSO2 API Manager", "vendor": "WSO2", "versions": [{"lessThan": "4.2.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "4.2.0.179", "status": "affected", "version": "4.2.0", "versionType": "custom"}, {"lessThan": "4.3.0.91", "status": "affected", "version": "4.3.0", "versionType": "custom"}, {"lessThan": "4.4.0.55", "status": "affected", "version": "4.4.0", "versionType": "custom"}, {"lessThan": "4.5.0.38", "status": "affected", "version": "4.5.0", "versionType": "custom"}, {"lessThan": "4.6.0.3", "status": "affected", "version": "4.6.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 API Control Plane", "vendor": "WSO2", "versions": [{"lessThan": "4.5.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "4.5.0.39", "status": "affected", "version": "4.5.0", "versionType": "custom"}, {"lessThan": "4.6.0.3", "status": "affected", "version": "4.6.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Universal Gateway", "vendor": "WSO2", "versions": [{"lessThan": "4.5.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "4.5.0.37", "status": "affected", "version": "4.5.0", "versionType": "custom"}, {"lessThan": "4.6.0.3", "status": "affected", "version": "4.6.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Traffic Manager", "vendor": "WSO2", "versions": [{"lessThan": "4.5.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "4.5.0.37", "status": "affected", "version": "4.5.0", "versionType": "custom"}, {"lessThan": "4.6.0.3", "status": "affected", "version": "4.6.0", "versionType": "custom"}]}, {"defaultStatus": "unknown", "packageName": "org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl", "product": "org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl", "vendor": "WSO2", "versions": [{"lessThan": "9.28.116.391", "status": "affected", "version": "9.28.116", "versionType": "custom"}, {"lessThan": "9.29.120.210", "status": "affected", "version": "9.29.120", "versionType": "custom"}, {"lessThan": "9.30.67.133", "status": "affected", "version": "9.30.67", "versionType": "custom"}, {"lessThan": "9.31.86.100", "status": "affected", "version": "9.31.86", "versionType": "custom"}, {"lessThan": "9.32.147.2", "status": "affected", "version": "9.32.147", "versionType": "custom"}, {"lessThanOrEqual": "*", "status": "unaffected", "version": "x", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Thilan Dissanayaka"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. <br><br> By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload."}], "value": "A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. \n\n By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2026-02-19T10:05:06.083Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/#solution</span></a> <br>"}], "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/#solution"}], "source": {"advisory": "WSO2-2025-4849", "discovery": "EXTERNAL"}, "title": "Authenticated arbitrary file upload via a System REST API requiring administrator permission.", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}