[ANNOUNCE] Apache Wicket 10.9.0 released

Tue, 05 May 2026 01:42:04 -0700 

The Apache Wicket PMC is proud to announce Apache Wicket 10.9.0!

Apache Wicket is an open source Java component oriented web application
framework that powers thousands of web applications and web sites for
governments, stores, universities, cities, banks, email providers, and
more. You can find more about Apache Wicket at https://wicket.apache.org

This release marks another minor release of Wicket 10. We
use semantic versioning for the development of Wicket, and as such no
API breaks are present in this release compared to 10.0.0.

New and noteworthy
------------------

This release fixes the following security issue:

 * CVE-2026-43646 crafted URLs can bypass PackageResourceGuard
 * CVE-2026-42509 crafted strings can break out of the JavaScript sequence
 * CVE-2026-40010 possible session fixation using AuthenticatedWebSession
 * CVE-2026-43975 Possible malicious path traversal in FolderUploadsFileManager 


Using this release
------------------

With Apache Maven update your dependency to (and don't forget to
update any other dependencies on Wicket projects to the same version):

<dependency>
    <groupId>org.apache.wicket</groupId>
    <artifactId>wicket-core</artifactId>
    <version>10.9.0</version>
</dependency>

Or download and build the distribution yourself, or use our
convenience binary package you can find here:

 * Download: http://wicket.apache.org/start/wicket-10.x.html#manually

Upgrading from earlier versions
-------------------------------

If you upgrade from 10.y.z this release is a drop in replacement. If
you come from a version prior to 10.0.0, please read our Wicket 10
migration guide found at

 * http://s.apache.org/wicket10migrate

Have fun!

— The Wicket team


========================================================================

    CHANGELOG for 10.9.0:

** Bug

    * [WICKET-7174] - DefaultSecureRandomSupplier does not work for FIPS

** New Feature
    * [WICKET-7169] - Make partHeaderSizeMax in AbstractFileUpload configurable 

** Improvement

    * [WICKET-7172] - Support new CSP style, script directives
    * [WICKET-7179] - add support for jQuery 4.0.0

Reply via email to