Every CVE whose affected-product data names Apache Wicket, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (22)
CVE-2024-36522 — CVSS 9.8 (critical): The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from…
CVE-2026-40010 — CVSS 9.1 (critical): Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack…
CVE-2016-6793 — CVSS 9.1 (critical): The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service…
CVE-2016-6806 — CVSS 8.8 (high): Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin…
CVE-2014-3526 — CVSS 7.5 (high): Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via…
CVE-2014-7808 — CVSS 7.5 (high): Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection…
CVE-2026-43646 — CVSS 7.5 (high): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0…
CVE-2021-23937 — CVSS 7.5 (high): A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS…
CVE-2020-11976 — CVSS 7.5 (high): By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly…
CVE-2026-43975 — CVSS 6.5 (medium): FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before…
CVE-2024-27439 — CVSS 6.5 (medium): An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects…
CVE-2024-53299 — CVSS 6.5 (medium): The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server…
CVE-2026-42509 — CVSS 6.1 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue affects…
CVE-2015-5347 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.Moda…
CVE-2012-5636 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote…
CVE-2015-7520 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x…
CVE-2014-0043 — CVSS 5.3 (medium): In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of…
CVE-2012-1089 — CVSS 5.0 (medium): Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 and 1.5.x before 1.5.5 allows remote attackers to read arbitrary…
CVE-2013-2055 — CVSS 5.0 (medium): Unspecified vulnerability in Apache Wicket 1.4.x before 1.4.23, 1.5.x before 1.5.11, and 6.x before 6.8.0 allows remote attackers to obtain…
CVE-2012-3373 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject…
CVE-2012-0047 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.20 allows remote attackers to inject arbitrary web script or…
CVE-2011-2712 — CVSS 2.6 (low): Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows…