Home > Vulnerability Database > CVE-2025-10853

Mend.io Vulnerability Database

CVE-2025-10853

Good to know:

Date: November 5, 2025

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

Severity Score

5.2

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-10853

Url: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/

Url: https://www.mend.io/vulnerability-database/CVE-2025-10853

Severity Score

5.2

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version https://github.com/wso2/carbon-registry.git - v4.8.47;https://github.com/wso2/carbon-governance.git - v4.8.35;https://github.com/wso2-extensions/identity-inbound-auth-oauth.git - v7.0.370

Learn More

CVSS v3.1

Base Score:	5.2
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-10853

Good to know:

Date: November 5, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?