CVE-2025-13590
Arbitrary File Upload in REST API Enables Remote Code Execution
Publication date: 2026-02-19
Last updated on: 2026-02-20
Assigner: WSO2 LLC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | api_manager | 4.2.0 |
| wso2 | api_manager | 4.3.0 |
| wso2 | api_manager | 4.4.0 |
| wso2 | api_manager | 4.5.0 |
| wso2 | api_control_plane | 4.5.0 |
| wso2 | traffic_manager | 4.5.0 |
| wso2 | universal_gateway | 4.5.0 |
| wso2 | api_control_plane | 4.6.0 |
| wso2 | api_manager | 4.6.0 |
| wso2 | traffic_manager | 4.6.0 |
| wso2 | universal_gateway | 4.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
This vulnerability allows a malicious actor who already has administrative privileges to upload an arbitrary file to a location controlled by the user within the deployment through a system REST API.
If the upload is successful, it may lead to remote code execution by leveraging a specially crafted payload.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including remote code execution, which means an attacker could run malicious code on the affected system.
This can lead to full compromise of the system, including unauthorized access, data theft, data manipulation, or disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know