CVE-2026-43975

>= 8.0.0 and <= 8.17.0

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before

6.5MEDIUM

CVE-2026-43646

>= 8.0.0 and <= 8.17.0

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from

7.5HIGH

CVE-2026-42509

>= 8.0.0 and <= 8.17.0

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue a

6.1MEDIUM

CVE-2026-40010

>= 8.0.0 and <= 8.17.0

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixati

9.1CRITICAL

CVE-2024-53299

>= 7.0.0 and <= 7.18.0

The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests t

6.5MEDIUM

CVE-2024-36522

>= 8.0.0 and < 8.16.0

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing inp

9.8CRITICAL

CVE-2024-27439

>= 9.1.0 and < 9.17.0

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue

6.5MEDIUM

CVE-2021-23937

>= 6.0.0 and <= 6.2.0

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitr

7.5HIGH

CVE-2020-11976

< 7.17.0

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see po

7.5HIGH

CVE-2012-5636

all versions

Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might all

6.1MEDIUM

CVE-2014-3526

>= 1.5.0 and < 1.5.12

Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive informati

7.5HIGH

CVE-2016-6806

all versions

Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cros

8.8HIGH

CVE-2014-0043

all versions

In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existenc

5.3MEDIUM

CVE-2014-7808

>= 1.5.0 and < 1.5.13

Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic pro

7.5HIGH

CVE-2016-6793

>= 1.5.0 and < 1.5.17

The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of ser

9.1CRITICAL

CVE-2015-7520

>= 1.5.0 and < 1.5.15

Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket

6.1MEDIUM

CVE-2015-5347

>= 1.5.0 and < 1.5.15

Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.

6.1MEDIUM

CVE-2013-2055

all versions

Unspecified vulnerability in Apache Wicket 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0 allows remote attackers

CVE-2012-3373

all versions

Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to in

CVE-2012-1089

all versions

Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 and 1.5.x before 1.5.5 allows remote attackers to read arbi

CVE-2012-0047

all versions

Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web scri

CVE-2011-2712

all versions

Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, all