Skip to main content

Apache Wicket EUVDEUVD-2026-27651

| CVE-2026-43646 HIGH
Information Exposure (CWE-200)
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 06, 2026 - 15:22 vuln.today
CVSS changed
May 06, 2026 - 15:22 NVD
7.5 (None) 7.5 (HIGH)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Remote unauthenticated attackers can access restricted package resources in Apache Wicket 8.x through 10.x by crafting URLs that bypass PackageResourceGuard protections, leading to unauthorized information disclosure. The vulnerability affects Apache Wicket versions 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. With CVSS 7.5 (High) but low EPSS (0.02%, 5th percentile), this represents a theoretical high-severity issue without evidence of active exploitation. SSVC assessment confirms no current exploitation, though the attack is automatable against default configurations.

Technical ContextAI

Apache Wicket is a component-oriented Java web application framework. PackageResourceGuard is Wicket's security mechanism that restricts access to package resources (files served directly from Java packages) to prevent unauthorized access to application internals, configuration files, or sensitive data. This vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) allows attackers to craft URLs that circumvent these guard rules, potentially accessing resources that should be protected. The flaw likely involves URL encoding, path traversal sequences, or other URL manipulation techniques that the guard fails to normalize or validate properly before making access control decisions. All three major version branches (8.x, 9.x, 10.x) are affected, suggesting the vulnerability exists in core resource serving logic shared across these releases.

RemediationAI

Upgrade to patched versions: Apache Wicket 8.18.0 or later for the 8.x branch, 9.23.0 or later for 9.x, and 10.9.0 or later for 10.x (inferred from affected version ranges-exact fix versions should be confirmed from Apache advisory at https://lists.apache.org/thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rs). Until patching, implement defense-in-depth controls: require authentication for all application endpoints serving package resources, restrict network access to Wicket applications to trusted IP ranges using firewall rules or reverse proxy ACLs (reduces attack surface but blocks legitimate remote users), and audit PackageResourceGuard configuration to ensure restrictive accept patterns that explicitly whitelist only necessary resource types rather than relying on default deny patterns. For applications serving sensitive configuration files or proprietary code via package resources, move these assets outside the package resource mechanism entirely to filesystem locations with separate access controls. Review application logs for suspicious resource access patterns with URL encoding or path traversal sequences in the May-June 2026 timeframe to detect potential exploitation attempts.

Share

EUVD-2026-27651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy