Reflected XSS Vulnerability in WSO2 API Manager 2.6.0 Discovered
Severity: Medium (Score: 57.8)
Sources: nvd.nist.gov, Securin
Published: · Updated:
Keywords: wso2, reflected, enrichment, discovered, vulnerability, inline, cve-2019-20435
Severity indicators: vulnerability, CVE:CVE-2019-20435
Summary
A reflected cross-site scripting (XSS) vulnerability, identified as CVE-2019-20435, was discovered in WSO2 API Manager version 2.6.0. This vulnerability allows attackers to exploit the inline API documentation editor page of the API Publisher by sending a malicious HTTP GET request with a harmful 'docName' parameter. The attack requires only LAN or WiFi adjacency to be successful. The vulnerability has been reproduced in a sandboxed environment, indicating its potential for exploitation. Affected users are advised to download the relevant patch based on their product version. The CVE was published on January 27, 2020, and has been updated in the NVD as of June 9, 2026. Security professionals should prioritize applying the patch to mitigate risks associated with this vulnerability. Key Points: • CVE-2019-20435 is a reflected XSS vulnerability in WSO2 API Manager 2.6.0. • Attackers can exploit this vulnerability via malicious HTTP GET requests. • Users are urged to apply the relevant patches to protect their systems.
Detailed Analysis
**Impact** Organizations using WSO2 API Manager version 2.6.0 are affected by this reflected XSS vulnerability, primarily those with API Publisher access. The vulnerability allows attackers on the same LAN or WiFi network to execute arbitrary scripts via the inline API documentation editor, potentially compromising session integrity and user data. No specific sectors, geographies, or quantitative impact data are provided in the sources. **Technical Details** The attack exploits a reflected cross-site scripting vulnerability (CVE-2019-20435) in the ‘docName’ request parameter of the inline API documentation editor page. The attack vector requires sending a crafted HTTP GET request with a malicious parameter, enabling script execution in the victim’s browser. The vulnerability was reproduced in a sandboxed environment and requires network adjacency, affecting the post-exploitation phase of the kill chain. No malware or additional tools are specified. Relevant IOCs are not detailed. **Recommended Response** Apply the vendor-provided patch corresponding to WSO2 API Manager 2.6.0 immediately. Monitor network traffic for suspicious HTTP GET requests containing anomalous ‘docName’ parameters. Harden configurations to restrict access to the API Publisher interface to trusted networks only. If patching is delayed, implement web application firewall (WAF) rules to block malicious payloads targeting the ‘docName’ parameter.
Source articles (2)
- CVE-2019-20435: Reflected XSS in WSO2 API Manager 2.6.0 — Securin · 2026-06-08
A vulnerability was discovered on WSO2 products inline API documentation editor page of the API Publisher. A reflected cross-site script (XSS) vulnerability allows an attacker to perform in the inline… - CVE 2019 20435 — nvd.nist.gov · 2026-06-09
This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes. An issue was discovered in WSO2 API Manage…
Timeline
- 2020-01-27 — CVE-2019-20435 published: The vulnerability in WSO2 API Manager was officially published, detailing the XSS issue.
- 2026-06-08 — Vulnerability discovered: Securin reported the reflected XSS vulnerability in WSO2 API Manager's inline documentation editor.
- 2026-06-09 — NVD enrichment update: The NVD updated the CVE record to reflect new enrichment efforts and details about the vulnerability.
CVEs
Related entities
- XSS (Vulnerability)
- Reflected XSS (Vulnerability)
- WSO2 (Company)
- Cwe-79 - Cross-site Scripting (xss) (Cwe)
- WSO2 API Manager (Platform)