Jo Theunis

**Name of the Vulnerable Software and Affected Versions** Apache Wicket versions 9.1.0 through 9.16.0 Apache Wicket milestone releases for the 10.0 series **Description** The issue is related to a bypass of the CSRF protection in Apache Wicket due to an error in the evaluation of the fetch metadata headers. This could allow a remote attacker to perform a CSRF attack using a specially crafted web page. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Apache Wicket versions 9.1.0 through 9.16.0, upgrade to version 9.17.0. For Apache Wicket milestone releases for the 10.0 series, upgrade to version 10.0.0. As a temporary workaround, consider restricting access to sensitive operations that rely on CSRF protection until a patch is applied.