oss-sec mailing list archives

CVE-2026-43646: Apache Wicket: crafted URLs can bypass PackageResourceGuard


From: Pedro Henrique Oliveira dos Santos <pedro () apache org>
Date: Tue, 05 May 2026 23:17:19 +0000

Severity: critical 

Affected versions:

- Apache Wicket 8.0.0 through 8.17.0
- Apache Wicket 9.0.0 through 9.22.0
- Apache Wicket 10.0.0 through 10.8.0

Description:

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

References:

https://wicket.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-43646


Current thread: