A reflected cross-site scripting vulnerability exists in the select_org.jsp endpoint of WSO2 API Manager and WSO2 Identity Server. User-controlled input from the query string is reflected into the HTML response without sanitisation, allowing injection of arbitrary JavaScript.
If a server administrator follows a malicious link, the injected JavaScript executes in the context of the management console session. From there, the attacker can invoke SOAP admin services (CVE-2025-10907) to achieve one-click remote code execution on the underlying server.
This vulnerability was responsibly disclosed and has been patched by the vendor.