Is CVE-2025-13590 actively exploited?

CVE-2025-13590 has no public evidence of in-the-wild exploitation as of 2026-02-20.

What is the CVSS score for CVE-2025-13590?

CVE-2025-13590 has a CVSS score of 9.1 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

How do I patch CVE-2025-13590?

Patch guidance is available from wso2 security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2025-13590.

Fix CVE-2025-13590 - CRITICAL wso2 api control plane

Q: Which products are affected by CVE-2025-13590?

11 products: wso2 api control plane, wso2 api control plane, wso2 api manager, wso2 api manager, wso2 api manager, and 6 more.

Description

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: high
User Action: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: NVD-CWE-noinfoCWE-434 · Unrestricted File Upload

Metadata

Primary Vendor: WSO2
Published: 2/19/2026
Last Modified: 2/20/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

wso2 : api_control_planewso2 : api_control_planewso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : api_managerwso2 : traffic_managerwso2 : traffic_managerwso2 : universal_gatewaywso2 : universal_gateway

Remediation Guidance

Executive Summary

View on NIST NVD