Skip to main content

Apache Wicket EUVDEUVD-2026-27653

| CVE-2026-43975 MEDIUM
Path Traversal (CWE-22)
2026-05-06 apache GHSA-3gmf-p6r4-q8m6
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 06, 2026 - 14:22 vuln.today
Analysis Generated
May 06, 2026 - 14:22 vuln.today
CVSS changed
May 06, 2026 - 14:22 NVD
6.5 (None) 6.5 (MEDIUM)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 260 maven packages depend on org.apache.wicket:wicket-core (256 direct, 4 indirect)

Ecosystem-wide dependent count for version 8.0.0-M1.

DescriptionCVE.org

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

AnalysisAI

Path traversal vulnerability in Apache Wicket's FolderUploadsFileManager allows unauthenticated attackers to read arbitrary files or write files outside the intended upload directory by exploiting unsanitized uploadFieldId and clientFileName parameters. Affected versions 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0 are vulnerable to remote file access and modification without authentication or user interaction. Vendor-released patch available in version 10.9.0.

Technical ContextAI

FolderUploadsFileManager is a file handling component in Apache Wicket's form upload resource handler that manages server-side storage of user-uploaded files. The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal). The component constructs file paths by concatenating the uploadFieldId and clientFileName parameters without validating or canonicalizing them, enabling attackers to inject path traversal sequences (e.g., '../../') to escape the intended upload directory. The underlying issue is that path construction does not use canonicalization checks or path normalization before file system operations, allowing both directory traversal in the upload field identifier and in the client-provided filename.

RemediationAI

Upgrade to Apache Wicket version 10.9.0 or later immediately to receive the vendor-released patch. For users unable to upgrade immediately, restrict HTTP access to upload endpoints using network-level controls (firewall rules, reverse proxy configuration) or apply application-level rate limiting on file upload requests to reduce automated exploitation surface. The patch implements canonical path resolution via toRealPath() and startsWith() validation checks for both uploadFieldId and clientFileName parameters before file operations, preventing directory traversal in both parameters. No workarounds that maintain full upload functionality are available; the fix requires code changes. Refer to the Apache advisory at https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr for version-specific guidance. If deployment uses Wicket 8.x or 9.x, plan an upgrade path to 10.9.0 or apply backport patches if Wicket releases them for earlier branches.

Share

EUVD-2026-27653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy