CVE-2025-13590
Awaiting Analysis
Awaiting Analysis - Queue
Arbitrary File Upload in REST API Enables Remote Code Execution
Publication date: 2026-02-19
Last updated on: 2026-02-20
Assigner: WSO2 LLC
Description
Description
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | api_manager | 4.2.0 |
| wso2 | api_manager | 4.3.0 |
| wso2 | api_manager | 4.4.0 |
| wso2 | api_manager | 4.5.0 |
| wso2 | api_control_plane | 4.5.0 |
| wso2 | traffic_manager | 4.5.0 |
| wso2 | universal_gateway | 4.5.0 |
| wso2 | api_control_plane | 4.6.0 |
| wso2 | api_manager | 4.6.0 |
| wso2 | traffic_manager | 4.6.0 |
| wso2 | universal_gateway | 4.6.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
