Cross-site Scripting Vulnerability in Apache Wicket by Apache
CVE-2026-42509

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Apache Wicket
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-42509?

The vulnerability in Apache Wicket arises from improper sanitization of user input during web page generation, leading to potential cross-site scripting attacks. Affected versions range from Apache Wicket 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0. To mitigate this risk, users are strongly encouraged to upgrade to version 10.9.0, which addresses this security concern.

Affected Version(s)

Apache Wicket 8.0.0 <= 8.17.0

Apache Wicket 9.0.0 <= 9.22.0

Apache Wicket 10.0.0 <= 10.8.0

References

https://lists.apache.org/thread/52nrq4tt07gxz4r6sj5gyocz5...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42509 Data

JSON