CVE-2026-43975

MEDIUM

Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager

Title source: cna

Description

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/06/4

Patch patch

https://github.com/apache/wicket/pull/1432

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr

Scores

CVSS v3 6.5

EPSS 0.0062

EPSS Percentile 70.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (7)

apache/wicket 8.0.0 - 8.17.0

Apache Software Foundation/Apache Wicket 10.0.0 - 10.8.0

Apache Software Foundation/Apache Wicket 8.0.0 - 8.17

Apache Software Foundation/Apache Wicket 9.0.0 - 9.22.0

org.apache.wicket/wicket-core 10.0.0-M1 - 10.9.0Maven

org.apache.wicket/wicket-core 8.0.0-M1 - 8.17.0Maven

org.apache.wicket/wicket-core 9.0.0-M1 - 9.22.0Maven

Published May 06, 2026

Tracked Since May 06, 2026