Hi,
Severity: critical
Affected versions:
- Apache Wicket 10.0.0 through 10.8.0
- Apache Wicket 9.0.0 through 9.22.0
- Apache Wicket 8.0.0 through 8.17
Description:
FolderUploadsFileManager in Apache Wicket does not validate or sanitize the
uploadFieldId parameter or the clientFileName
before constructing file paths, allowing an unauthenticated attacker to
write arbitrary files outside the intended upload directory or read
files from arbitrary locations on the server.
This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through
9.22.0, from 10.0.0 through 10.8.0.
Users are recommended to upgrade to version 10.9.0, which fixes the issue.
Will there really be no fix on Wicket 9.x ? AFAIK Wicket 10.0 requires
Jakarta J2EE. We unfortunately still have customer deployments on Wicket
9.x ...
Regards,
Tobias
References:
https://github.com/apache/wicket/pull/1432
https://wicket.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-43975
--
Tobias Gierke
Software Developer
Voipfuture GmbH Wendenstr. 4 20097 Hamburg Germany
Phone +49 40 688 9001 64 Fax +49 40 688 9001 99 www.voipfuture.com
Managing Directors Jan Bastian Eyal Ullert
Commercial Court AG Hamburg HRB 109896 VAT ID DE263738086
