Apache Wicket: crafted URLs can bypass PackageResourceGuard_CVE-2026-43646

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

Basic Information

ID CVE-2026-43646

Source apache

Published May 6, 2026 at 08:31

Modified May 6, 2026 at 13:58

Affected Product

Vendor Apache Software Foundation

Product Apache Wicket

Version 8.0.0

Affected Versions Apache Software Foundation Apache Wicket 8.0.0
Apache Software Foundation Apache Wicket 9.0.0
Apache Software Foundation Apache Wicket 10.0.0

CWE Classification

CWE-200

References

lists.apache.org /thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rs

{
    "lastseen": "",
    "description": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket.\n\nThis issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.\n\nUsers are recommended to upgrade to version 10.9.0, which fixes the issue.",
    "published": "2026-05-06T08:31:50.560Z",
    "modified": "2026-05-06T13:58:50.550Z",
    "type": "cve",
    "title": "Apache Wicket: crafted URLs can bypass PackageResourceGuard",
    "source": "apache",
    "references": "https://lists.apache.org/thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rs",
    "id": "CVE-2026-43646",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Wicket 8.0.0\nApache Software Foundation Apache Wicket 9.0.0\nApache Software Foundation Apache Wicket 10.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Wicket",
    "version": "8.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}