Vulnerability Description
FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Wicket | >= 8.0.0, <= 8.17.0 |
Related Weaknesses (CWE)
References
- https://github.com/apache/wicket/pull/1432Issue TrackingPatch
- https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbrVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/05/06/4Mailing ListThird Party Advisory
FAQ
What is CVE-2026-43975?
CVE-2026-43975 is a vulnerability with a CVSS score of 6.5 (MEDIUM). FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to writ...
How severe is CVE-2026-43975?
CVE-2026-43975 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-43975?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Wicket.