GHSA-jvv4-8wxx-m5r6
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Description PRE-NVD
AnalysisAI
Remote unauthenticated attackers can access restricted package resources in Apache Wicket 8.x through 10.x by crafting URLs that bypass PackageResourceGuard protections, leading to unauthorized information disclosure. The vulnerability affects Apache Wicket versions 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. With CVSS 7.5 (High) but low EPSS (0.02%, 5th percentile), this represents a theoretical high-severity issue without evidence of active exploitation. SSVC assessment confirms no current exploitation, though the attack is automatable against default configurations.
Technical ContextAI
Apache Wicket is a component-oriented Java web application framework. PackageResourceGuard is Wicket's security mechanism that restricts access to package resources (files served directly from Java packages) to prevent unauthorized access to application internals, configuration files, or sensitive data. This vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) allows attackers to craft URLs that circumvent these guard rules, potentially accessing resources that should be protected. The flaw likely involves URL encoding, path traversal sequences, or other URL manipulation techniques that the guard fails to normalize or validate properly before making access control decisions. All three major version branches (8.x, 9.x, 10.x) are affected, suggesting the vulnerability exists in core resource serving logic shared across these releases.
RemediationAI
Upgrade to patched versions: Apache Wicket 8.18.0 or later for the 8.x branch, 9.23.0 or later for 9.x, and 10.9.0 or later for 10.x (inferred from affected version ranges-exact fix versions should be confirmed from Apache advisory at https://lists.apache.org/thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rs). Until patching, implement defense-in-depth controls: require authentication for all application endpoints serving package resources, restrict network access to Wicket applications to trusted IP ranges using firewall rules or reverse proxy ACLs (reduces attack surface but blocks legitimate remote users), and audit PackageResourceGuard configuration to ensure restrictive accept patterns that explicitly whitelist only necessary resource types rather than relying on default deny patterns. For applications serving sensitive configuration files or proprietary code via package resources, move these assets outside the package resource mechanism entirely to filesystem locations with separate access controls. Review application logs for suspicious resource access patterns with URL encoding or path traversal sequences in the May-June 2026 timeframe to detect potential exploitation attempts.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27651