Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager_CVE-2026-43975

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName
before constructing file paths, allowing an unauthenticated attacker to
write arbitrary files outside the intended upload directory or read
files from arbitrary locations on the server.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

Basic Information

ID CVE-2026-43975

Source apache

Published May 6, 2026 at 08:28

Modified May 6, 2026 at 13:05

Affected Product

Vendor Apache Software Foundation

Product Apache Wicket

Version 10.0.0

Affected Versions Apache Software Foundation Apache Wicket 10.0.0
Apache Software Foundation Apache Wicket 9.0.0
Apache Software Foundation Apache Wicket 8.0.0

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName\n before constructing file paths, allowing an unauthenticated attacker to\n write arbitrary files outside the intended upload directory or read \nfiles from arbitrary locations on the server.\n\nThis issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.\n\nUsers are recommended to upgrade to version 10.9.0, which fixes the issue.",
    "published": "2026-05-06T08:28:27.681Z",
    "modified": "2026-05-06T13:05:44.585Z",
    "type": "cve",
    "title": "Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager",
    "source": "apache",
    "references": "https://github.com/apache/wicket/pull/1432\nhttps://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr",
    "id": "CVE-2026-43975",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Wicket 10.0.0\nApache Software Foundation Apache Wicket 9.0.0\nApache Software Foundation Apache Wicket 8.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Wicket",
    "version": "10.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}