EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Apache Wicket, a popular open-source Java framework. The affected software and versions include Apache Wicket 8.x, 9.x, and 10.x, particularly version 10.8.0 and earlier. The identified vulnerabilities comprise three Critical and one Important threat, primarily affecting session management, file uploads, and resource protection. This advisory highlights the business risk and impact, as these vulnerabilities can lead to unauthorized access, data exposure, and potential disruption of critical applications. If left unaddressed, these vulnerabilities can render the affected applications vulnerable to unauthenticated attacks, potentially resulting in significant business consequences and reputational damage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Apache Wicket, a popular open-source Java framework. The affected software and versions include Apache Wicket 8.x, 9.x, and 10.x, particularly version 10.8.0 and earlier. The identified vulnerabilities comprise three Critical and one Important threat, primarily affecting session management, file uploads, and resource protection. This advisory highlights the business risk and impact, as these vulnerabilities can lead to unauthorized access, data exposure, and potential disruption of critical applications. If left unaddressed, these vulnerabilities can render the affected applications vulnerable to unauthenticated attacks, potentially resulting in significant business consequences and reputational damage.[emaillocker id="1283"]
CVE-2026-43975 with a CVSS score of 6.5 – This medium severity vulnerability allows an unauthenticated attacker to execute a Path Traversal attack by crafting malicious filenames, enabling them to write arbitrary files to sensitive locations outside the intended upload directory and read internal server files from arbitrary locations.
CVE-2026-40010 with a CVSS score of 9.1 – This Critical vulnerability targets Wicket’s AuthenticatedWebSession, enabling an attacker to supply a predetermined session ID to a victim and then take over that session once the victim logs in, effectively bypassing authentication entirely.
CVE-2026-43646 with a CVSS score of 7.5 – This high severity vulnerability allows attackers to use specially crafted URLs to bypass the PackageResourceGuard, leading to the exposure of sensitive information to unauthorized actors who should not have access to internal package resources.
CVE-2026-42509 with a CVSS score of 6.1 – This Important flaw involves improper neutralization of input during web page generation, enabling attackers to use crafted strings to inject malicious scripts into the pages of other users.
A broad range of Apache Wicket versions are affected. The exploitation of these weaknesses can result in significant business consequences, including unauthorized access to sensitive data, disruption of critical applications, and reputational damage. This advisory emphasizes the urgent necessity for prompt action to protect against these imminent threats.
RECOMMENDATION:
We recommend you to update Apache Wicket to version 10.9.0.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/apache-wicket-critical-vulnerabilities-path-traversal-session-fixation-10-9-0/