Apache Wicket security advisories

Security information for Apache Wicket

Reporting

Do you want disclose a potential security issue for Apache Wicket? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Possible malicious path traversal in FolderUploadsFileManager

CVE-2026-43975 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-06T08:28:37.545Z

Affected

  • Apache Wicket from 10.0.0 through 10.8.0
  • Apache Wicket from 9.0.0 through 9.22.0
  • Apache Wicket from 8.0.0 through 8.17

Description

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.


References

crafted URLs can bypass PackageResourceGuard

CVE-2026-43646 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-06T08:31:55.175Z

Affected

  • Apache Wicket from 8.0.0 through 8.17.0
  • Apache Wicket from 9.0.0 through 9.22.0
  • Apache Wicket from 10.0.0 through 10.8.0

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

References

crafted strings can break out of the JavaScript sequence

CVE-2026-42509 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-06T08:34:07.745Z

Affected

  • Apache Wicket from 8.0.0 through 8.17.0
  • Apache Wicket from 9.0.0 through 9.22.0
  • Apache Wicket from 10.0.0 through 10.8.0

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

References

possible session fixation using AuthenticatedWebSession

CVE-2026-40010 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-06T08:34:37.475Z

Affected

  • Apache Wicket from 10.0.0 through 10.8.0
  • Apache Wicket from 8.0.0 through 8.17.0
  • Apache Wicket from 9.0.0 through 9.22.0

Description

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.


References

An attacker can intentionally trigger a memory leak

CVE-2024-53299 [CVE] [CVE json] [OSV json]

Last updated: 2025-01-23T08:37:04.162Z

Affected

  • Apache Wicket from 7.0.0 through 7.18.*
  • Apache Wicket from 8.0.0-M1 through 8.16.*
  • Apache Wicket from 9.0.0-M1 through 9.18.*
  • Apache Wicket from 10.0.0-M1 through 10.2.*

Description

The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.
Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue.

References

Credits

  • Pedro Santos (finder)

Remote code execution via XSLT injection

CVE-2024-36522 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-12T12:13:50.122Z

Affected

  • Apache Wicket from 10.0.0-M1 through 10.0.0
  • Apache Wicket from 9.0.0 through 9.17.0
  • Apache Wicket from 8.0.0 through 8.15.0

Description

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

References

Credits

  • cigar (finder)

Possible bypass of CSRF protection

CVE-2024-27439 [CVE] [CVE json] [OSV json]

Last updated: 2024-03-19T11:07:46.188Z

Affected

  • Apache Wicket from 9.1.0 through 9.16.0
  • Apache Wicket from 10.0.0-M1 before 10.0.0

Description

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.

This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.

Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

References

Credits

  • Jo Theunis (finder)

DNS proxy and possible amplification attack

CVE-2021-23937 [CVE] [CVE json] [OSV json]

Last updated: 2021-05-25T08:01:09.799Z

Affected

  • Apache Wicket from Apache Wicket 9.x through 9.2.0
  • Apache Wicket from Apache Wicket 8.x through 8.11.0
  • Apache Wicket from Apache Wicket 7.x through 7.17.0
  • Apache Wicket from 6.2.0 before Apache Wicket 6.x*

Description

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself.

This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.

References

Credits

  • Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue.