Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN464 _____________________________________________________________________ DATE : 06/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Wicket versions prior to 10.9.0. ===================================================================== https://lists.apache.org/thread/8xz9loc4gxxdjmj6dqthv5cntbhyp6yk https://lists.apache.org/thread/znox74w5sq4oyjts945q77bfoqlmblly https://lists.apache.org/thread/6y152nody5kf9vzfnsb7km6ckpfojylw https://lists.apache.org/thread/t8wbwsxv85ob6wf8zr3hmlo7pc3tbzkz _____________________________________________________________________ CVE-2026-40010: Apache Wicket: possible session fixation using AuthenticatedWebSession Severity: critical Affected versions: - Apache Wicket 10.0.0 through 10.8.0 - Apache Wicket 8.0.0 through 8.17.0 - Apache Wicket 9.0.0 through 9.22.0 Description: Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. References: https://wicket.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-40010 _____________________________________________________________________ CVE-2026-42509: Apache Wicket: crafted strings can break out of the JavaScript sequence Severity: important Affected versions: - Apache Wicket 8.0.0 through 8.17.0 - Apache Wicket 9.0.0 through 9.22.0 - Apache Wicket 10.0.0 through 10.8.0 Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. References: https://wicket.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-42509 _____________________________________________________________________ CVE-2026-43646: Apache Wicket: crafted URLs can bypass PackageResourceGuard Severity: critical Affected versions: - Apache Wicket 8.0.0 through 8.17.0 - Apache Wicket 9.0.0 through 9.22.0 - Apache Wicket 10.0.0 through 10.8.0 Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. References: https://wicket.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-43646 _____________________________________________________________________ CVE-2026-43975: Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager Severity: critical Affected versions: - Apache Wicket 10.0.0 through 10.8.0 - Apache Wicket 9.0.0 through 9.22.0 - Apache Wicket 8.0.0 through 8.17 Description: FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. References: https://github.com/apache/wicket/pull/1432 https://wicket.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-43975 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================