High severity7.5NVD Advisory· Published May 6, 2026· Updated May 6, 2026
CVE-2026-43646
CVE-2026-43646
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket.
This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.
Users are recommended to upgrade to version 10.9.0, which fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.wicket:wicket-parentMaven | >= 8.0.0-M1, <= 8.17.0 | — |
org.apache.wicket:wicket-parentMaven | >= 9.0.0-M1, <= 9.22.0 | — |
org.apache.wicket:wicket-parentMaven | >= 10.0.0-M1, < 10.9.0 | 10.9.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- www.openwall.com/lists/oss-security/2026/05/06/3nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-jvv4-8wxx-m5r6ghsaADVISORY
- lists.apache.org/thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rsnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-43646ghsaADVISORY
News mentions
0No linked articles in our index yet.