Medium severity6.5NVD Advisory· Published May 6, 2026· Updated May 6, 2026
CVE-2026-43975
CVE-2026-43975
Description
FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server.
This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.
Users are recommended to upgrade to version 10.9.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.wicket:wicket-coreMaven | >= 8.0.0-M1, <= 8.17.0 | — |
org.apache.wicket:wicket-coreMaven | >= 9.0.0-M1, <= 9.22.0 | — |
org.apache.wicket:wicket-coreMaven | >= 10.0.0-M1, < 10.9.0 | 10.9.0 |
Affected products
3Patches
Vulnerability mechanics
References
6- github.com/apache/wicket/pull/1432nvdIssue TrackingPatchWEB
- www.openwall.com/lists/oss-security/2026/05/06/4nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-3gmf-p6r4-q8m6ghsaADVISORY
- lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbrnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-43975ghsaADVISORY
- github.com/apache/wicket/commit/72470983f689c61e6a6c0b7388ef955f23bb1e16ghsaWEB
News mentions
0No linked articles in our index yet.