XML Parser Vulnerability in WSO2 Products
CVE-2024-2374

7.5HIGH

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager; Wso2 Identity Server; Wso2 Open Banking Am; Wso2 Open Banking Iam
Vendor: CVE Published:; 16 April 2026

What is CVE-2024-2374?

A serious vulnerability exists in the XML parsers of various WSO2 products due to improper handling of user-supplied XML data. This vulnerability allows cybercriminals to send specially crafted XML payloads that manipulate the parser, potentially leading to the resolution of external entities. By exploiting this flaw, attackers could read sensitive files from the server's file system and gain access to limited HTTP resources. Furthermore, the flaw could enable denial of service attacks by overloading server resources through recursive entity expansion or fetching excessively large external resources. It is crucial for users to review the security configurations of their WSO2 products to mitigate the risks associated with this vulnerability.

Affected Version(s)

WSO2 API Manager 3.1.0 < 3.1.0.278

WSO2 API Manager 3.2.0 < 3.2.0.368

WSO2 API Manager 4.0.0 < 4.0.0.280

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Mar 11, 2024

CVE-2024-2374 Data

JSON

Wso2

What is CVE-2024-2374?

Affected Version(s)

References

CVSS V3.1

Timeline