ByteOS Network

NVD Vulnerability Details :

CVE-2025-10503

Analyzed

Source-ed10eef1-636d-4fbe-9993-6890dfa878f8

Published At-29 Apr, 2026 | 09:16

Updated At-01 May, 2026 | 17:40

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 6.1

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CPE Matches

WSO2 LLC

>>identity_server>>Versions from 7.1.0(inclusive) to 7.1.0.28(exclusive)

cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-79	Secondary	ed10eef1-636d-4fbe-9993-6890dfa878f8

CWE ID: CWE-79

Type: Secondary

Source: ed10eef1-636d-4fbe-9993-6890dfa878f8

References

Hyperlink	Source	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4577/	ed10eef1-636d-4fbe-9993-6890dfa878f8	Vendor Advisory

Hyperlink: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4577/

Source: ed10eef1-636d-4fbe-9993-6890dfa878f8

Resource:

Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History