Session Fixation Vulnerability in Apache Wicket Affecting Multiple Versions
CVE-2026-40010
Currently unrated
What is CVE-2026-40010?
Apache Wicket is susceptible to a session fixation vulnerability due to a missing invocation of the Servlet http web request method changeSessionId after session binding. This oversight can be exploited, allowing attackers to hijack user sessions, which poses a significant risk to web application security. Users are advised to upgrade to version 10.9.0 or later to mitigate this security issue.
Affected Version(s)
Apache Wicket 10.0.0 <= 10.8.0
Apache Wicket 8.0.0 <= 8.17.0
Apache Wicket 9.0.0 <= 9.22.0