Directory Traversal Vulnerability in Apache Wicket File Management
CVE-2026-43975

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Wicket
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-43975?

A vulnerability exists in the FolderUploadsFileManager of Apache Wicket due to insufficient validation of the uploadFieldId parameter and the clientFileName. This oversight allows an unauthenticated attacker to construct file paths leading to arbitrary file uploads outside the designated upload directory or to read sensitive files from any location on the server. To mitigate this risk, it is strongly recommended that users upgrade to version 10.9.0, which addresses this vulnerability effectively.

Affected Version(s)

Apache Wicket 10.0.0 <= 10.8.0

Apache Wicket 9.0.0 <= 9.22.0

Apache Wicket 8.0.0 <= 8.17

References

https://github.com/apache/wicket/pull/1432

patch

https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43975 Data

JSON