CVE-2026-43646: Apache Wicket has an Exposure of Sensitive Information to an Unauthorized Actor vulnerability

May 6, 2026 (updated May 11, 2026)

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

References

github.com/advisories/GHSA-jvv4-8wxx-m5r6
lists.apache.org/thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rs
nvd.nist.gov/vuln/detail/CVE-2026-43646

Code Behaviors & Features

Detect and mitigate CVE-2026-43646 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →