CVE-2025-8591
Received Received - Intake

Reflected Cross-Site Scripting in Application

Vulnerability report for CVE-2025-8591, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: WSO2 LLC

Description

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on session-related cookies, preventing session hijacking.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
wso2 api_control_plane *
wso2 api_manager *
wso2 identity_server *
wso2 open_banking_components *
wso2 traffic_manager *
wso2 universal_gateway *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Reflected Cross-Site Scripting (XSS) issue found in multiple WSO2 products. It occurs because the software accepts user input through a URL parameter without properly encoding it before reflecting it back to the user's browser. This allows an attacker to inject malicious scripts into web pages served by the application.

Impact Analysis

An attacker exploiting this vulnerability can cause a user's browser to redirect to malicious websites, alter the webpage's user interface, or steal information from the browser. However, the risk of session hijacking is reduced because session-related cookies are protected by the httpOnly flag.

Detection Guidance

This vulnerability is a Reflected Cross-Site Scripting (XSS) issue caused by improper output encoding of user-supplied URL parameters. Detection typically involves testing the affected WSO2 products by injecting common XSS payloads into URL parameters and observing if the payload is reflected unencoded in the response.

Common detection methods include using web vulnerability scanners or manual testing with tools like curl or browser developer tools to send crafted requests.

  • Use curl to send a request with a test XSS payload in a URL parameter, for example: curl -i "http://target-url/?param=<script>alert(1)</script>"
  • Observe the HTTP response to check if the script tag is reflected without proper encoding.
  • Use automated scanners such as OWASP ZAP or Burp Suite to detect reflected XSS vulnerabilities.
Mitigation Strategies

Immediate mitigation steps include applying the official patches or updates provided by WSO2 for the affected products.

If patching is not immediately possible, consider implementing input validation and output encoding on URL parameters to prevent malicious script injection.

Additionally, monitor and restrict access to affected services and consider using web application firewalls (WAFs) to block malicious payloads.

Ensure that session cookies continue to use the httpOnly flag to mitigate session hijacking risks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8591. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart