- Description
- Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- wicket
CVSS 3.1
- Type
- Primary
- Base score
- 9.1
- Impact score
- 5.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- Severity
- CRITICAL
- nvd@nist.gov
- CWE-384
- Hype score
- Not currently trending
【脆弱性情報】 CVE-2026-40010 Apache Wicketの脆弱性について https://t.co/XPq9ZTvRtq #IT #Security #cybersecurity
@Teeeda_worker
30 May 2026
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CRITICAL: CVE-2026-40010 (CVSS 9.1) — apache wicket. CVE: CVE-2026-40010 CVSS: 9.1 (3.1) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Severity: CRITICAL Status: Critical advisory
@lyrie_ai
12 May 2026
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "757E1B16-2C43-4B59-82BE-DEA456EF0F28",
"versionEndIncluding": "8.17.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7977D77A-1CBF-41E0-BFE7-55C5B22CD85C",
"versionEndIncluding": "9.22.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CE199A15-1741-4988-8C6A-D54F202F65E3",
"versionEndExcluding": "10.9.0",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]