Reflected Cross-Site Scripting Vulnerability in WSO2 Products
CVE-2025-5770

6.1MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server; Wso2 Api Manager; Wso2 Api Control Plane
Vendor: CVE Published:; 5 November 2025

What is CVE-2025-5770?

Multiple products from WSO2 are affected by a reflected cross-site scripting vulnerability stemming from insufficient output encoding in their authentication endpoints. This issue allows attackers to inject malicious JavaScript payloads, which are returned in the response to the victims. By exploiting this vulnerability, attackers can redirect users to malicious sites, manipulate the user interface, or gain unauthorized access to data through the victim’s browser. Although the risk of session hijacking is mitigated due to session-related cookies being protected with the httpOnly flag, the potential for phishing and other client-side attacks remains a significant concern.

Affected Version(s)

WSO2 API Control Plane 4.5.0 < 4.5.0.11

WSO2 API Manager 4.2.0 < 4.2.0.150

WSO2 API Manager 4.3.0 < 4.3.0.63

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Jun 6, 2025

Credit

crnković

JSON