CVE-2024-8010 LOW

CVE-2024-8010: XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files

Vendor Wso2
Product WSO2 API Manager
Weakness CWE-611 · XXE
Published April 16, 2026
Last update April 16, 2026

CVSS base score

3.5/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.

Key dates

02Disclosure timeline

April 16, 2026 CVE published
April 16, 2026 Record updated