CVE-2026-43975

Published: Mag 06, 2026 Last Modified: Mag 06, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName
before constructing file paths, allowing an unauthenticated attacker to
write arbitrary files outside the intended upload directory or read
files from arbitrary locations on the server.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality Availability
Potential Impacts:
Execute Unauthorized Code Or Commands Modify Files Or Directories Read Files Or Directories Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies: AI/ML
Likelihood of Exploit: High
View CWE Details
http://www.openwall.com/lists/oss-security/2026/05/06/4
http://www.openwall.com/lists/oss-security/2026/05/06/4
https://github.com/apache/wicket/pull/1432
https://github.com/apache/wicket/pull/1432
https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1d…
https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr