216.73.216.86

CVE-2026-43975

· Published 06/05/2026 10:16 · Modified 06/05/2026 20:29

Labels: CVE-2026-43975 2026-05-06CVE-2026-43975CWE-22[email protected]

Essential information

Published
06/05/2026 10:16
Modified
06/05/2026 20:29
Author
Creator
CVSS
6.5 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS metrics

Description

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
apache / wicket cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*
apache / wicket cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*
apache / wicket cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*

References