Home > Vulnerability Database > CVE-2025-10907

Mend.io Vulnerability Database

CVE-2025-10907

Good to know:

Date: November 5, 2025

An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment. Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.

Severity Score

8.4

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-10907

Url: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4603/

Url: https://www.mend.io/vulnerability-database/CVE-2025-10907

Severity Score

8.4

Weakness Type (CWE)

Unrestricted Upload of File with Dangerous Type

CWE-434

Top Fix

Upgrade Version

Upgrade to version https://github.com/wso2/carbon-kernel.git - 4.9.30;https://github.com/wso2/carbon-deployment.git - v4.11.24;https://github.com/wso2/carbon-event-processing.git - v2.3.19

Learn More

CVSS v3.1

Base Score:	8.4
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-10907

Good to know:

Date: November 5, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?