CVE-2025-8154

HIGH EPSS 8.4%
Published May 11, 20261mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published May 11, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
8.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-74

Affected Products 8

VendorProductVersionRange
wso2api_control_plane*≥4.5.0  –  <4.5.0.21
wso2api_manager*≥4.1.0  –  <4.1.0.218
wso2api_manager*≥4.2.0  –  <4.2.0.164
wso2api_manager*≥4.3.0  –  <4.3.0.74
wso2api_manager*≥4.4.0  –  <4.4.0.38
wso2api_manager*≥4.5.0  –  <4.5.0.20
wso2traffic_manager*≥4.5.0  –  <4.5.0.19
wso2universal_gateway*≥4.5.0  –  <4.5.0.19

References 1

  • security.docs.wso2.com https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4410/
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.