Skip to main content

Apache Wicket CVE-2026-42509

| EUVDEUVD-2026-27556 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-06
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 06, 2026 - 20:37 vuln.today
CVSS changed
May 06, 2026 - 20:37 NVD
6.1 (MEDIUM)
CVE Published
May 06, 2026 - 00:45 nvd
MEDIUM 6.1

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Apache Wicket allows unauthenticated remote attackers to inject malicious JavaScript through crafted strings that break out of JavaScript sequence contexts. Affected versions include Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. User interaction (e.g., clicking a malicious link) is required for exploitation. EPSS score of 0.03% (8th percentile) indicates low empirical exploitation probability despite network-accessible attack vector.

Technical ContextAI

Apache Wicket is a Java web application framework that provides server-side component models for building dynamic web UIs. The vulnerability resides in Wicket's JavaScript rendering pipeline, where user-supplied or application-provided strings are serialized into JavaScript contexts without proper escaping or sanitization. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), a context-aware injection flaw. When Wicket constructs JavaScript code that incorporates untrusted data (e.g., component parameters, model values, or localized strings), an attacker can craft strings containing JavaScript sequence terminators (quotes, semicolons, comment markers) to break out of the intended string literal or expression boundary and execute arbitrary JavaScript in the victim's browser context. This affects the Wicket framework across multiple major versions (8.x, 9.x, 10.x lines) in its core JavaScript generation functionality.

RemediationAI

Upgrade Apache Wicket to a patched version released after the vulnerability disclosure (expected versions: 8.18.0 or later, 9.23.0 or later, 10.9.0 or later; confirm exact versions via Apache Wicket release notes and security advisories). If immediate upgrade is not feasible, implement the following compensating controls: (1) Enable and enforce a strict Content Security Policy (CSP) header that restricts script-src to trusted origins only and disallows inline script execution - this will prevent injected JavaScript from executing, though it may require refactoring of inline script dependencies; (2) Apply input validation and sanitization at the application level, escaping or rejecting user inputs that contain JavaScript sequence breakers (quotes, semicolons, comment delimiters) before they reach Wicket's JavaScript rendering pipeline; (3) Mark session and sensitive cookies with HttpOnly and Secure flags to prevent JavaScript access and transmission over unencrypted channels, reducing information disclosure impact; (4) Use a Web Application Firewall (WAF) to detect and block HTTP requests containing common XSS payloads targeting JavaScript contexts. These mitigations may reduce application functionality or introduce latency, so testing is required before production deployment.

Share

CVE-2026-42509 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy