Primary

Context

WSO2 Products Arbitrary File Upload Vulnerability Leading to Remote Code Execution

Vulnerability

Patched

A vulnerability exists in multiple WSO2 products, including WSO2 API Control Plane, API Manager, Traffic Manager, and Universal Gateway, all in versions 4.6.0 and 4.5.0. This vulnerability allows an authenticated user with administrative privileges to upload arbitrary files to user-controlled locations within the deployment via a system REST API. Such uploads could be exploited to execute remote code.

Impact

Exploitation of this vulnerability could result in remote code execution on the affected system.

Remediation

Community users should apply the public fix available on the WSO2 GitHub repository or migrate to the latest unaffected version. WSO2 support subscription holders can update to the specified update levels for their product version.

Added: Feb 19, 2026, 7:11 PM

Updated: Feb 19, 2026, 7:11 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

4.4

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

4.4

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WSO2 Products Arbitrary File Upload Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

WSO2 API Manager

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating