A vulnerability was discovered on WSO2 API Manager 2.6.0 in the inline API documentation editor page of the API Publisher. A stored cross-site script (XSS) vulnerability allows an attacker to inject malicious code into the inline API documentation editor page of the API Publisher when the user uses XSS payload in the code view.