CVE-2026-43646

🗓️ 06 May 2026 08:31:50Reported by apacheType

CVE-2026-43646 in Apache Wicket allows crafted links to bypass PackageResourceGuard and expose sensitive information.

Reporter	Title	Published	Views	Family All 11
ATTACKERKB	CVE-2026-43646	6 May 202608:31	–	attackerkb
Circl	CVE-2026-43646	6 May 202602:07	–	circl
CNNVD	Apache Wicket 信息泄露漏洞	6 May 202600:00	–	cnnvd
Cvelist	CVE-2026-43646 Apache Wicket: crafted URLs can bypass PackageResourceGuard	6 May 202608:31	–	cvelist
EUVD	EUVD-2026-27651	6 May 202612:30	–	euvd
Github Security Blog	Apache Wicket has an Exposure of Sensitive Information to an Unauthorized Actor vulnerability	6 May 202612:30	–	github
NVD	CVE-2026-43646	6 May 202610:16	–	nvd
OSV	GHSA-JVV4-8WXX-M5R6 Apache Wicket has an Exposure of Sensitive Information to an Unauthorized Actor vulnerability	6 May 202612:30	–	osv
Positive Technologies	PT-2026-37431	6 May 202600:00	–	ptsecurity
Snyk	Directory Traversal	6 May 202611:24	–	snyk

NVD

Vulners

Node

apache wicketRange8.0.0–8.17.0

apache wicketRange9.0.0–9.22.0

apache wicketRange10.0.0–10.9.0

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Wicket",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "8.17.0",
        "status": "affected",
        "version": "8.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.22.0",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "10.8.0",
        "status": "affected",
        "version": "10.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rs
openwall	www.openwall.com/lists/oss-security/2026/05/06/3

06 May 2026 20:29Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.17.5

EPSS0.00082

SSVC

CWE-200