Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.impl@6.4.105

Type maven

Namespace org.wso2.carbon.apimgt

Name org.wso2.carbon.apimgt.impl

Version 6.4.105

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 9.32.167

Latest_non_vulnerable_version 9.32.167

Affected_by_vulnerabilities

url VCID-m5jg-vfm3-8uek

vulnerability_id VCID-m5jg-vfm3-8uek

summary

carbon-apimgt does not properly restrict uploaded files
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. 

 By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-13590

reference_id

reference_type

scores

value	0.00108
scoring_system	epss
scoring_elements	0.28744
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-13590

reference_url

https://github.com/wso2/carbon-apimgt

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/wso2/carbon-apimgt

reference_url

https://github.com/wso2/carbon-apimgt/commit/49a6427b39a5d9552ce97430858bb4b1912a3044

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/wso2/carbon-apimgt/commit/49a6427b39a5d9552ce97430858bb4b1912a3044

reference_url

https://github.com/wso2/carbon-apimgt/pull/13560

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/wso2/carbon-apimgt/pull/13560

reference_url

https://github.com/wso2/carbon-apimgt/releases/tag/v9.32.167

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/wso2/carbon-apimgt/releases/tag/v9.32.167

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-13590

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-13590

reference_url

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849

reference_url

https://github.com/advisories/GHSA-p6jf-79j3-33f3

reference_id

GHSA-p6jf-79j3-33f3

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-p6jf-79j3-33f3

reference_url

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/

reference_id

WSO2-2025-4849

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T20:32:33Z/

url

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4849/

fixed_packages

url	pkg:maven/org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.impl@9.32.167
purl	pkg:maven/org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.impl@9.32.167
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.impl@9.32.167

aliases CVE-2025-13590, GHSA-p6jf-79j3-33f3

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m5jg-vfm3-8uek

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.impl@6.4.105

Package Instance