CVE-2024-36522

CRITICAL

XSLTResourceStream.java - RCE

Title source: llm

Description

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

References (2)

Scores

CVSS v3 9.8
EPSS 0.0827
EPSS Percentile 92.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-74
Status published

Affected Products (4)

apache/wicket < 8.16.0
apache/wicket
apache/wicket
org.apache.wicket/wicket-util < 10.1.0Maven

Timeline

Published Jul 12, 2024
Tracked Since Feb 18, 2026