PT-2026-37432 · Apache · Apache Wicket
Pedro Henrique Oliveira Dos Santos
·
Published
2026-05-06
·
Updated
2026-05-07
·
CVE-2026-43975
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Wicket versions 8.0.0 through 8.17.0
Apache Wicket versions 9.0.0 through 9.22.0
Apache Wicket versions 10.0.0 through 10.8.0
Description
FolderUploadsFileManager fails to validate or sanitize the
uploadFieldId parameter or the clientFileName before constructing file paths. This allows an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server.Recommendations
Upgrade to version 10.9.0.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Wicket