Apache Wicket: crafted strings can break out of the JavaScript...

6.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

Basic Information

ID CVE-2026-42509

Source apache

Published May 6, 2026 at 08:34

Modified May 7, 2026 at 12:16

Affected Product

Vendor Apache Software Foundation

Product Apache Wicket

Version 8.0.0

Affected Versions Apache Software Foundation Apache Wicket 8.0.0
Apache Software Foundation Apache Wicket 9.0.0
Apache Software Foundation Apache Wicket 10.0.0

CWE Classification

CWE-79

References

lists.apache.org /thread/52nrq4tt07gxz4r6sj5gyocz5s6bprjp

{
    "lastseen": "",
    "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket.\n\nThis issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.\n\nUsers are recommended to upgrade to version 10.9.0, which fixes the issue.",
    "published": "2026-05-06T08:34:00.746Z",
    "modified": "2026-05-07T12:16:58.182Z",
    "type": "cve",
    "title": "Apache Wicket: crafted strings can break out of the JavaScript sequence",
    "source": "apache",
    "references": "https://lists.apache.org/thread/52nrq4tt07gxz4r6sj5gyocz5s6bprjp",
    "id": "CVE-2026-42509",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Wicket 8.0.0\nApache Software Foundation Apache Wicket 9.0.0\nApache Software Foundation Apache Wicket 10.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Wicket",
    "version": "8.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Wicket: crafted strings can break out of the JavaScript sequence_CVE-2026-42509