QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-11093

Back to search

CVE-2025-11093

Published: Nov 5, 2025

Modified: Nov 5, 2025

PUBLISHED

CVSS v3.1

8.4

HIGH

Description

An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.

VendorProductVersions

WSO2

WSO2 Micro Integrator

unknown
0 - < 4.0.0
affected
4.0.0 - < 4.0.0.145
affected
4.1.0 - < 4.1.0.147
affected
4.2.0 - < 4.2.0.141
affected
4.3.0 - < 4.3.0.42

+1 more versions

WSO2

WSO2 API Manager

unknown
0 - < 3.1.0
affected
3.1.0 - < 3.1.0.345
affected
3.2.0 - < 3.2.0.446
affected
3.2.1 - < 3.2.1.66
affected
4.0.0 - < 4.0.0.366

+5 more versions

WSO2

WSO2 Enterprise Integrator

unknown
0 - < 6.6.0
affected
6.6.0 - < 6.6.0.224

WSO2

WSO2 Universal Gateway

affected
4.5.0 - < 4.5.0.27

WSO2

WSO2 API Control Plane

affected
4.5.0 - < 4.5.0.29

WSO2

WSO2 Traffic Manager

affected
4.5.0 - < 4.5.0.27

WSO2

WSO2 Open Banking IAM

unknown
0 - < 2.0.0
affected
2.0.0 - < 2.0.0.414

WSO2

WSO2 Open Banking AM

unknown
0 - < 2.0.0
affected
2.0.0 - < 2.0.0.394

WSO2

WSO2 Identity Server as Key Manager

unknown
0 - < 5.10.0
affected
5.10.0 - < 5.10.0.365

WSO2

org.apache.synapse:synapse-core

affected
2.1.7.wso2v227 - < 2.1.7.wso2v227_99
affected
2.1.7.wso2v271 - < 2.1.7.wso2v271_88
affected
2.1.7.wso2v143 - < 2.1.7.wso2v143_121
affected
2.1.7.wso2v319 - < 2.1.7.wso2v319_13
affected
2.1.7.wso2v183 - < 2.1.7.wso2v183_72

+7 more versions

WSO2

org.apache.synapse:synapse-extensions

affected
2.1.7.wso2v227 - < 2.1.7.wso2v227_99
affected
2.1.7.wso2v271 - < 2.1.7.wso2v271_88
affected
2.1.7.wso2v143 - < 2.1.7.wso2v143_121
affected
2.1.7.wso2v319 - < 2.1.7.wso2v319_13
affected
2.1.7.wso2v183 - < 2.1.7.wso2v183_72

+7 more versions

Weaknesses (CWE)

CWE-94

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now