CVE-2025-10503

MEDIUM EPSS 7.0%

Published Apr 29, 20262mo ago · Modified Jun 17, 20261w ago

6.1 CVSS 3.1

Medium

Published Apr 29, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.

CVSS Details

Base Score

6.1

Exploitability

2.8

Impact

2.7

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

7.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

Vendor	Product	Version	Range
wso2	identity_server	*	≥7.1.0 – <7.1.0.28

References 1

security.docs.wso2.com https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4577/

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.