Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

Vulnerability Intelligence

Customers

Vulnerability IntelligenceGHSA-p6jf-79j3-33f3

GHSA-p6jf-79j3-33f3

CRITICAL9.1

carbon-apimgt does not properly restrict uploaded files

Published Feb 19, 2026

Modified 2 weeks ago

Fix available

Details

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

Affected Packages

org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl

Maven

Fixed in:

9.32.167

References

ADVISORY

https://github.com/advisories/GHSA-p6jf-79j3-33f3

PACKAGE

https://github.com/wso2/carbon-apimgt

WEB

https://github.com/wso2/carbon-apimgt/commit/49a6427b39a5d9552ce97430858bb4b1912a3044

WEB

https://github.com/wso2/carbon-apimgt/pull/13560

WEB

https://github.com/wso2/carbon-apimgt/releases/tag/v9.32.167

ADVISORY

https://nvd.nist.gov/vuln/detail/CVE-2025-13590

WEB

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849

Aliases

CVE-2025-13590

CVSS Analysis

CVSS v3.1

9.1

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

HighPR:H

User Interaction

NoneUI:N

Scope

ChangedS:C

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

9.1/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2025-13590

Ecosystems

Maven

Timeline

PublishedFeb 19, 2026

ModifiedFeb 19, 2026

GHSA-p6jf-79j3-33f3 | Mondoo Vulnerability Intelligence