Cross-site Scripting Vulnerability in Apache Wicket by Apache
CVE-2026-42509

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Wicket
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-42509?

The vulnerability in Apache Wicket arises from improper sanitization of user input during web page generation, leading to potential cross-site scripting attacks. Affected versions range from Apache Wicket 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0. To mitigate this risk, users are strongly encouraged to upgrade to version 10.9.0, which addresses this security concern.

Affected Version(s)

Apache Wicket 8.0.0 <= 8.17.0

Apache Wicket 9.0.0 <= 9.22.0

Apache Wicket 10.0.0 <= 10.8.0

References

https://lists.apache.org/thread/52nrq4tt07gxz4r6sj5gyocz5...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42509 Data

JSON