Apache Wicket security advisories
Security information for Apache Wicket
Reporting
Do you want disclose a potential security issue for Apache Wicket? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Possible malicious path traversal in FolderUploadsFileManager
CVE-2026-43975 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-06T08:28:37.545Z
Affected
- Apache Wicket from 10.0.0 through 10.8.0
- Apache Wicket from 9.0.0 through 9.22.0
- Apache Wicket from 8.0.0 through 8.17
Description
FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName
before constructing file paths, allowing an unauthenticated attacker to
write arbitrary files outside the intended upload directory or read
files from arbitrary locations on the server.
This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.
Users are recommended to upgrade to version 10.9.0, which fixes the issue.
References
- https://github.com/apache/wicket/pull/1432
- https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr
crafted URLs can bypass PackageResourceGuard
CVE-2026-43646 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-06T08:31:55.175Z
Affected
- Apache Wicket from 8.0.0 through 8.17.0
- Apache Wicket from 9.0.0 through 9.22.0
- Apache Wicket from 10.0.0 through 10.8.0
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket.
This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.
Users are recommended to upgrade to version 10.9.0, which fixes the issue.
References
crafted strings can break out of the JavaScript sequence
CVE-2026-42509 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-06T08:34:07.745Z
Affected
- Apache Wicket from 8.0.0 through 8.17.0
- Apache Wicket from 9.0.0 through 9.22.0
- Apache Wicket from 10.0.0 through 10.8.0
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket.
This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.
Users are recommended to upgrade to version 10.9.0, which fixes the issue.
References
possible session fixation using AuthenticatedWebSession
CVE-2026-40010 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-06T08:34:37.475Z
Affected
- Apache Wicket from 10.0.0 through 10.8.0
- Apache Wicket from 8.0.0 through 8.17.0
- Apache Wicket from 9.0.0 through 9.22.0
Description
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket.
This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.
Users are recommended to upgrade to version 10.9.0, which fixes the issue.
References
An attacker can intentionally trigger a memory leak
CVE-2024-53299 [CVE] [CVE json] [OSV json]
Last updated: 2025-01-23T08:37:04.162Z
Affected
- Apache Wicket from 7.0.0 through 7.18.*
- Apache Wicket from 8.0.0-M1 through 8.16.*
- Apache Wicket from 9.0.0-M1 through 9.18.*
- Apache Wicket from 10.0.0-M1 through 10.2.*
Description
The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.
Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue.
References
Credits
- Pedro Santos (finder)
Remote code execution via XSLT injection
CVE-2024-36522 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-12T12:13:50.122Z
Affected
- Apache Wicket from 10.0.0-M1 through 10.0.0
- Apache Wicket from 9.0.0 through 9.17.0
- Apache Wicket from 8.0.0 through 8.15.0
Description
The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.
References
Credits
- cigar (finder)
Possible bypass of CSRF protection
CVE-2024-27439 [CVE] [CVE json] [OSV json]
Last updated: 2024-03-19T11:07:46.188Z
Affected
- Apache Wicket from 9.1.0 through 9.16.0
- Apache Wicket from 10.0.0-M1 before 10.0.0
Description
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.
Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
References
Credits
- Jo Theunis (finder)
DNS proxy and possible amplification attack
CVE-2021-23937 [CVE] [CVE json] [OSV json]
Last updated: 2021-05-25T08:01:09.799Z
Affected
- Apache Wicket from Apache Wicket 9.x through 9.2.0
- Apache Wicket from Apache Wicket 8.x through 8.11.0
- Apache Wicket from Apache Wicket 7.x through 7.17.0
- Apache Wicket from 6.2.0 before Apache Wicket 6.x*
Description
A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself.
This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.
References
Credits
- Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue.