Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, allowing an attacker to inject crafted strings that break out of a JavaScript context. This cross‑site scripting flaw can enable attackers to inject and execute arbitrary JavaScript in the context of legitimate users, potentially leading to session hijacking, credential theft, or defacement of the application. The weakness is a classic example of CWE‑79, where input is not correctly sanitized before being rendered into a web page.

Affected Systems

Apache Software Foundation's Apache Wicket web framework is affected in all released versions from 8.0.0 through 8.17.0, the single 9.0.0 release, and from 10.0.0 through 10.8.0. Users running any of these versions should be aware of the risk.

Risk and Exploitability

There is no public CVSS score available and the EPSS score is not provided, but the flaw is broadly exploitable via normal web requests and does not require elevated privileges. It is not listed in the CISA KEV catalog. Attackers can leverage the vulnerability by crafting malicious input that is rendered within JavaScript, typically through URLs or input fields, to cause arbitrary script execution in the user’s browser.

Generated by OpenCVE AI on May 6, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Wicket to version 10.9.0 or later, which contains the fix for this cross‑site scripting issue.
  • If an immediate upgrade is not feasible, enforce server‑side sanitization of all user‑supplied data that could be incorporated into JavaScript contexts, or disable components that render such data until a patch is applied.
  • Deploy a strong Content Security Policy that restricts script sources and mitigates the impact of any residual XSS exposure.

Generated by OpenCVE AI on May 6, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache wicket
Vendors & Products Apache
Apache wicket

Wed, 06 May 2026 10:30:00 +0000

Type Values Removed Values Added
References

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.
Title Apache Wicket: crafted strings can break out of the JavaScript sequence
Weaknesses CWE-79
References

Subscriptions

Apache Wicket
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-06T09:51:12.253Z

Reserved: 2026-04-28T02:18:41.687Z

Link: CVE-2026-42509

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:20.217

Modified: 2026-05-06T10:16:20.217

Link: CVE-2026-42509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T11:30:26Z

Weaknesses