Home

Description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

PUBLISHED Reserved 2025-11-24 | Published 2026-02-19 | Updated 2026-02-20 | Assigner WSO2




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Product status

Default status
unaffected

Any version before 4.2.0
unknown

4.2.0 (custom) before 4.2.0.179
affected

4.3.0 (custom) before 4.3.0.91
affected

4.4.0 (custom) before 4.4.0.55
affected

4.5.0 (custom) before 4.5.0.38
affected

4.6.0 (custom) before 4.6.0.3
affected

Default status
unaffected

Any version before 4.5.0
unknown

4.5.0 (custom) before 4.5.0.39
affected

4.6.0 (custom) before 4.6.0.3
affected

Default status
unaffected

Any version before 4.5.0
unknown

4.5.0 (custom) before 4.5.0.37
affected

4.6.0 (custom) before 4.6.0.3
affected

Default status
unaffected

Any version before 4.5.0
unknown

4.5.0 (custom) before 4.5.0.37
affected

4.6.0 (custom) before 4.6.0.3
affected

Default status
unknown

9.28.116 (custom) before 9.28.116.391
affected

9.29.120 (custom) before 9.29.120.210
affected

9.30.67 (custom) before 9.30.67.133
affected

9.31.86 (custom) before 9.31.86.100
affected

9.32.147 (custom) before 9.32.147.2
affected

x (custom)
unaffected

Credits

Thilan Dissanayaka finder

References

security.docs.wso2.com/...ty-advisories/2026/WSO2-2025-4849/ vendor-advisory

cve.org (CVE-2025-13590)

nvd.nist.gov (CVE-2025-13590)

Download JSON