Apache Wicket: Remote code execution via XSLT injection
Description
Apache Wicket's XSLTResourceStream default configuration allows remote code execution via XSLT injection from untrusted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Wicket's XSLTResourceStream default configuration allows remote code execution via XSLT injection from untrusted input.
Vulnerability
Overview The default configuration of XSLTResourceStream.java in Apache Wicket is susceptible to XSLT injection, leading to remote code execution when processing untrusted input [2][3]. This component handles XSLT transformations without proper validation, allowing an attacker to inject malicious XSLT code.
Exploitation
Conditions An attacker can provide a crafted XSLT payload to any Wicket resource that utilizes XSLTResourceStream. If the resource is publicly accessible, no authentication is required, making the attack surface broad in applications that expose such endpoints [3].
Impact
Successful exploitation enables arbitrary code execution in the context of the application server, potentially leading to full system compromise, data theft, or further lateral movement [2][3].
Mitigation
The vulnerability is fixed in Apache Wicket versions 10.1.0, 9.18.0, and 8.16.0 [2][3]. Users are strongly advised to upgrade immediately. No official workaround has been provided for unpatched versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.wicket:wicket-utilMaven | >= 10.0.0-M1, < 10.1.0 | 10.1.0 |
org.apache.wicket:wicket-utilMaven | >= 9.0.0, < 9.18.0 | 9.18.0 |
org.apache.wicket:wicket-utilMaven | >= 8.0.0, < 8.16.0 | 8.16.0 |
Affected products
2- Apache Software Foundation/Apache Wicketv5Range: 10.0.0-M1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hhwc-gh8h-9rrpghsaADVISORY
- lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkcghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-36522ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/07/12/2ghsaWEB
News mentions
0No linked articles in our index yet.