CVE-2025-4760

Name of the Vulnerable Software and Affected Versions WSO2 products (affected versions not specified)

Description An authenticated stored cross-site scripting (XSS) issue exists because of insufficient validation of user-provided input when uploading API documents within the Publisher portal. An attacker with publisher privileges can upload a malicious API document containing JavaScript. When other users access this document, the JavaScript is executed in their browsers. This could lead to redirection to malicious websites, unauthorized changes to the user interface, or the theft of data accessible through the browser. Sensitive session cookies are protected by the httpOnly flag, preventing session hijacking.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.