<0.1% probability · 24.3th percentile — 2026-05-07
Affected versions
Apache Wicket 8.0.0-8.17.0, 9.0.0, 10.0.0-10.8.0
Summary
This is a critical session fixation vulnerability in the Apache Wicket web framework. It occurs because the Servlet changeSessionId method is not called after session binding. Attackers can exploit this to hijack authenticated user sessions on affected web applications.
Remediation
Upgrade Apache Wicket to version 10.9.0 or later to resolve the issue. For older unsupported branches, add manual session ID regeneration after user authentication as a temporary mitigation.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.