Apache Wicket
17 CVEs affecting Apache Wicket. Latest disclosed: 2026-05-06. Critical: 2, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-40010 | Critical | 9.1 | 2026-05-06 | Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. T… |
CVE-2016-6793 | Critical | 9.1 | 2017-07-17 | The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and writ… |
CVE-2016-6806 | High | 8.8 | 2017-10-03 | Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitiga… |
CVE-2026-43646 | High | 7.5 | 2026-05-06 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9… |
CVE-2014-3526 | High | 7.5 | 2017-10-30 | Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving iden… |
CVE-2014-7808 | High | 7.5 | 2017-09-15 | Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict… |
CVE-2026-43975 | Medium | 6.5 | 2026-05-06 | FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allo… |
CVE-2026-42509 | Medium | 6.1 | 2026-05-06 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8… |
CVE-2012-5636 | Medium | 6.1 | 2017-10-30 | Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject… |
CVE-2015-7520 | Medium | 6.1 | 2016-04-12 | Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x befo… |
CVE-2015-5347 | Medium | 6.1 | 2016-04-12 | Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache W… |
CVE-2014-0043 | Medium | 5.3 | 2017-10-03 | In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in th… |
CVE-2013-2055 | | 2014-02-10 | Unspecified vulnerability in Apache Wicket 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0 allows remote attackers to obtain sensitive informati… | |
CVE-2012-3373 | | 2012-09-19 | Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or… | |
CVE-2012-1089 | | 2012-03-23 | Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 and 1.5.x before 1.5.5 allows remote attackers to read arbitrary web-application files v… | |
CVE-2012-0047 | | 2012-03-23 | Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the wicket:pag… | |
CVE-2011-2712 | | 2011-08-29 | Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows remote attackers to injec… |