Triple Critical Threat: Apache Wicket Patch Fixes Path Traversal, Session Hijacking, and Resource Bypass
Ddos 
The Apache Wicket project, a popular open-source Java framework prized for its clean separation of HTML markup and Java logic, has released an urgent security update to address four significant vulnerabilities. Three of these flaws carry a Critical severity rating, impacting the core components used to manage sessions, handle file uploads, and protect sensitive resources.
Development teams are urged to upgrade to version 10.9.0 immediately to protect their applications from unauthenticated attacks.
Path Traversal: Unauthorized File Control (CVE-2026-43975)
The most severe threat involves the Folder Uploads FileManager. Researchers discovered that the framework fails to properly sanitize the uploadFieldId and clientFileName parameters before constructing file paths.
This oversight allows an unauthenticated attacker to execute a Path Traversal attack.
By crafting malicious filenames, an actor can:
- Write arbitrary files to sensitive locations outside the intended upload directory.
- Read internal server files from arbitrary locations, potentially exposing configuration data or source code.
Session Fixation: Hijacking Authenticated Users (CVE-2026-40010)
Another Critical vulnerability targets Wicket’s AuthenticatedWebSession. The framework was found to be missing a crucial call to the changeSessionId method after a user successfully binds their session.
By exploiting this “Session Fixation” flaw, an attacker can supply a predetermined session ID to a victim and then take over that session once the victim logs in, effectively bypassing authentication entirely.
Information Disclosure and XSS Risks
The security bulletin also highlights two additional flaws that compromise application integrity:
- Resource Guard Bypass (CVE-2026-43646): This Critical vulnerability allows attackers to use specially crafted URLs to bypass the PackageResourceGuard. This bypass can lead to the exposure of sensitive information to unauthorized actors who should not have access to internal package resources.
- Cross-Site Scripting (CVE-2026-42509): Rated as Important, this flaw involves improper neutralization of input during web page generation. Attackers can use crafted strings to “break out” of JavaScript sequences, allowing them to inject malicious scripts into the pages of other users.
Remediation
These vulnerabilities affect a broad range of Wicket versions, including the 8.x, 9.x, and 10.x release lines. Users across all major versions should upgrade to Apache Wicket 10.9.0 as soon as possible.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
