Security Vulnerability Report
中文
CVE-2026-43646 CVSS 7.5 HIGH

CVE-2026-43646

Published: 2026-05-06 10:16:26
Last Modified: 2026-05-06 20:29:51
Source: [email protected]

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:* - VULNERABLE
Apache Wicket 8.0.0 - 8.17.0
Apache Wicket 9.0.0 - 9.22.0
Apache Wicket 10.0.0 - 10.8.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def check_vulnerability(url): # Conceptual PoC for CVE-2026-43646 # This checks if an endpoint reveals sensitive info try: response = requests.get(url, timeout=10) # Look for common sensitive patterns in response sensitive_keywords = ['password', 'secret', 'token', 'internal'] found = [word for word in sensitive_keywords if word in response.text.lower()] if found: print(f"[+] Potential sensitive information found: {found}") return True else: print("[-] No obvious leakage detected.") return False except Exception as e: print(f"[!] Error connecting to target: {e}") return False if __name__ == "__main__": target = "http://example.com/vulnerable-page" check_vulnerability(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43646", "sourceIdentifier": "[email protected]", "published": "2026-05-06T10:16:26.037", "lastModified": "2026-05-06T20:29:51.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket.\n\nThis issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.\n\nUsers are recommended to upgrade to version 10.9.0, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndIncluding": "8.17.0", "matchCriteriaId": "757E1B16-2C43-4B59-82BE-DEA456EF0F28"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndIncluding": "9.22.0", "matchCriteriaId": "7977D77A-1CBF-41E0-BFE7-55C5B22CD85C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.9.0", "matchCriteriaId": "CE199A15-1741-4988-8C6A-D54F202F65E3"}]}]}], "references": [{"url": "https://lists.apache.org/thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rs", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/06/3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.