FolderUploadsFileManager in Apache Wicket fails to validate or sanitize the uploadFieldId parameter and the clientFileName prior to constructing file paths, allowing an unauthenticated attacker to craft paths that resolve outside the intended upload directory. This flaw enables the attacker to write arbitrary files to arbitrary locations on the server or read files from arbitrary locations. By writing malicious code to a web‑executable directory the attacker can achieve remote code execution; alternatively, reading configuration files or logs can lead to data exposure, threatening confidentiality, integrity, and potentially availability.

The weakness is present in Apache Wicket versions 8.0.0 through 8.17.0, 9.0.0 through 9.22.0, and 10.0.0 through 10.8.0. Any web application that depends on these releases and exposes the default FolderUploadsFileManager is impacted. Users are advised to upgrade to version 10.9.0 or later, which contains the fix.

The flaw does not require authentication and can be triggered via a normal HTTP request, making the attack vector remote over the web. The CVSS score is 6.5, indicating moderate severity. The EPSS score is 0.00039, indicating an extremely low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the widespread use of Apache Wicket multiplies the risk of exploitation; attackers could achieve read/write access or embed malicious code leading to full server compromise.