CVE-2026-42509: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Apache Software Foundation Apache Wicket
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.
AI Analysis
Technical Summary
This vulnerability in Apache Wicket involves improper neutralization of input during web page generation, classified as CWE-79 (Cross-site Scripting). It affects multiple versions of Apache Wicket, specifically from 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0. The vendor has released version 10.9.0 which fixes this issue. No CVSS score is provided, and no known exploits in the wild have been reported as of the publication date.
Potential Impact
The vulnerability allows for Cross-site Scripting attacks, which could enable attackers to inject malicious scripts into web pages generated by affected versions of Apache Wicket. This can lead to client-side code execution in the context of the affected web application, potentially compromising user data or session integrity. No reports of active exploitation are known.
Mitigation Recommendations
Users of Apache Wicket versions 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0 should upgrade to version 10.9.0, which contains the fix for this vulnerability. Patch status is confirmed by the vendor's recommendation to upgrade. No alternative mitigations or temporary fixes are indicated.
CVE-2026-42509: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Apache Software Foundation Apache Wicket
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Apache Wicket involves improper neutralization of input during web page generation, classified as CWE-79 (Cross-site Scripting). It affects multiple versions of Apache Wicket, specifically from 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0. The vendor has released version 10.9.0 which fixes this issue. No CVSS score is provided, and no known exploits in the wild have been reported as of the publication date.
Potential Impact
The vulnerability allows for Cross-site Scripting attacks, which could enable attackers to inject malicious scripts into web pages generated by affected versions of Apache Wicket. This can lead to client-side code execution in the context of the affected web application, potentially compromising user data or session integrity. No reports of active exploitation are known.
Mitigation Recommendations
Users of Apache Wicket versions 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0 should upgrade to version 10.9.0, which contains the fix for this vulnerability. Patch status is confirmed by the vendor's recommendation to upgrade. No alternative mitigations or temporary fixes are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-28T02:18:41.687Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fb086bcbff5d8610c51179
Added to database: 5/6/2026, 9:22:51 AM
Last enriched: 5/6/2026, 9:36:33 AM
Last updated: 5/7/2026, 7:42:41 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.