Lucene search
K

11 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.11 views

CVE-2026-43646

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

7.5CVSS5.4AI score0.00394EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.9 views

CVE-2026-43975

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on t...

6.5CVSS5.5AI score0.00732EPSS
Exploits0References1
OSV
OSV
added 2026/05/06 12:30 p.m.6 views

GHSA-JVV4-8WXX-M5R6 Apache Wicket has an Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

7.5CVSS5.8AI score0.00394EPSS
Exploits0References4
OSV
OSV
added 2026/05/06 12:30 p.m.5 views

GHSA-5X9H-93GP-CHPJ Apache Wicket has a Cross-site Scripting issue

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

6.1CVSS5.8AI score0.00357EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/06 12:30 p.m.11 views

EUVD-2026-27554

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...

9.1CVSS5.7AI score0.00379EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/06 8:34 a.m.30 views

CVE-2026-40010 Apache Wicket: possible session fixation using AuthenticatedWebSession

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...

0.00379EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/06 8:34 a.m.10 views

CVE-2026-40010 Apache Wicket: possible session fixation using AuthenticatedWebSession

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...

5.7AI score0.00379EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/06 8:31 a.m.9 views

CVE-2026-43646 Apache Wicket: crafted URLs can bypass PackageResourceGuard

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

5.8AI score0.00394EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/06 8:31 a.m.9 views

CVE-2026-43646

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

5.8AI score0.00394EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/05/06 8:28 a.m.37 views

CVE-2026-43975 Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on t...

0.00732EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.14 views

PT-2026-37432

Name of the Vulnerable Software and Affected Versions Apache Wicket versions 8.0.0 through 8.17.0 Apache Wicket versions 9.0.0 through 9.22.0 Apache Wicket versions 10.0.0 through 10.8.0 Description FolderUploadsFileManager fails to validate or sanitize the uploadFieldId parameter or the...

6.5CVSS5.9AI score0.00732EPSS
Exploits0References7
Rows per page
Query Builder