logo

Database

Insecure file upload In org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl

Description

carbon-apimgt does not properly restrict uploaded files A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution.

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-135902. NVD-2025-135903. OSV-2025-135904. GCVE-2025-13590

References

1. https://github.com/wso2/carbon-apimgt/pull/135602. https://github.com/wso2/carbon-apimgt/commit/49a6427b39a5d9552ce97430858bb4b1912a30443. https://github.com/wso2/carbon-apimgt/releases/tag/v9.32.1674. https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.