CVE-2025-8154
5.3 MEDIUMIn Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitizat...
Published: 2026-05-11 · Last updated: 2026-05-27
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- CWE
- CWE-74
Affected products
| Vendor | Product |
|---|---|
| wso2 | api_control_plane, api_manager, traffic_manager |
Description
In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP response headers. This can lead to various adverse effects, including the manipulation of browser caching, alteration of security-related headers, and the injection of sensitive information such as cookie values, potentially enabling session hijacking or other malicious activities.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2025-9973 — Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive aut... (6.4 MEDIUM)
- CVE-2025-10470 — The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, l... (8.6 HIGH)
- CVE-2025-8325 — The software fails to enforce role-based access controls for certain Gateway API invocations (6.3 MEDIUM)
- CVE-2025-10908 — Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic ... (7.3 HIGH)
- CVE-2024-0391 — The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the exis... (5.3 MEDIUM)
Same CWE
- CVE-2026-11859 — An HTML injection vulnerability in the "fetch links" email sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation...
- CVE-2026-46546 — Frappe Learning Management System (LMS) is a learning system that helps users structure their content
- CVE-2026-47634 — Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized ... (7.3 HIGH)
- CVE-2026-42835 — Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Teams for Android allows ... (8.1 HIGH)
- CVE-2026-8795 — A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6 (7.8 HIGH)