Loading
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and destination in SOAP admin services. A malicious actor with administrative privileges can upload a specially crafted file to a user-controlled location within the deployment. Successful exploitation may lead to remote code execution (RCE) on the server, depending on how the uploaded file is processed. By default, this vulnerability is only exploitable by users with administrative access to the affected SOAP services.
Use CWE-434, Wso2 vendor hub and Api Control Plane product page to widen CVE-2025-10907 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2025-9312, CVE-2025-9804 and CVE-2025-13590 for nearby disclosures in the same product family.