Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
Cross-site scripting (XSS) vulnerability in Apache Wicket allows unauthenticated remote attackers to inject malicious JavaScript through crafted strings that break out of JavaScript sequence contexts. Affected versions include Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. User interaction (e.g., clicking a malicious link) is required for exploitation. EPSS score of 0.03% (8th percentile) indicates low empirical exploitation probability despite network-accessible attack vector.
Technical ContextAI
Apache Wicket is a Java web application framework that provides server-side component models for building dynamic web UIs. The vulnerability resides in Wicket's JavaScript rendering pipeline, where user-supplied or application-provided strings are serialized into JavaScript contexts without proper escaping or sanitization. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), a context-aware injection flaw. When Wicket constructs JavaScript code that incorporates untrusted data (e.g., component parameters, model values, or localized strings), an attacker can craft strings containing JavaScript sequence terminators (quotes, semicolons, comment markers) to break out of the intended string literal or expression boundary and execute arbitrary JavaScript in the victim's browser context. This affects the Wicket framework across multiple major versions (8.x, 9.x, 10.x lines) in its core JavaScript generation functionality.
RemediationAI
Upgrade Apache Wicket to a patched version released after the vulnerability disclosure (expected versions: 8.18.0 or later, 9.23.0 or later, 10.9.0 or later; confirm exact versions via Apache Wicket release notes and security advisories). If immediate upgrade is not feasible, implement the following compensating controls: (1) Enable and enforce a strict Content Security Policy (CSP) header that restricts script-src to trusted origins only and disallows inline script execution - this will prevent injected JavaScript from executing, though it may require refactoring of inline script dependencies; (2) Apply input validation and sanitization at the application level, escaping or rejecting user inputs that contain JavaScript sequence breakers (quotes, semicolons, comment delimiters) before they reach Wicket's JavaScript rendering pipeline; (3) Mark session and sensitive cookies with HttpOnly and Secure flags to prevent JavaScript access and transmission over unencrypted channels, reducing information disclosure impact; (4) Use a Web Application Firewall (WAF) to detect and block HTTP requests containing common XSS payloads targeting JavaScript contexts. These mitigations may reduce application functionality or introduce latency, so testing is required before production deployment.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27556