{"url":"http://public2.vulnerablecode.io/api/packages/23405?format=json","purl":"pkg:maven/org.apache.wicket/wicket-core@9.3.0","type":"maven","namespace":"org.apache.wicket","name":"wicket-core","version":"9.3.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.23.0","latest_non_vulnerable_version":"10.9.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65522?format=json","vulnerability_id":"VCID-2w3q-f5uq-sbau","summary":"FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName\n before constructing file paths, allowing an unauthenticated attacker to\n write arbitrary files outside the intended upload directory or read \nfiles from arbitrary locations on the server.\n\nThis issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.\n\nUsers are recommended to upgrade to version 10.9.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43975","reference_id":"","reference_type":"","scores":[{"value":"0.01038","scoring_system":"epss","scoring_elements":"0.77905","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01038","scoring_system":"epss","scoring_elements":"0.77892","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01038","scoring_system":"epss","scoring_elements":"0.77824","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43975"},{"reference_url":"https://github.com/apache/wicket","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/wicket"},{"reference_url":"https://github.com/apache/wicket/commit/72470983f689c61e6a6c0b7388ef955f23bb1e16","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/wicket/commit/72470983f689c61e6a6c0b7388ef955f23bb1e16"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43975","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43975"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/05/06/4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/05/06/4"},{"reference_url":"https://github.com/apache/wicket/pull/1432","reference_id":"1432","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-06T13:05:40Z/"}],"url":"https://github.com/apache/wicket/pull/1432"},{"reference_url":"https://github.com/advisories/GHSA-3gmf-p6r4-q8m6","reference_id":"GHSA-3gmf-p6r4-q8m6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3gmf-p6r4-q8m6"},{"reference_url":"https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr","reference_id":"xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-06T13:05:40Z/"}],"url":"https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1060191?format=json","purl":"pkg:maven/org.apache.wicket/wicket-core@9.23.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.wicket/wicket-core@9.23.0"},{"url":"http://public2.vulnerablecode.io/api/packages/375950?format=json","purl":"pkg:maven/org.apache.wicket/wicket-core@10.9.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.wicket/wicket-core@10.9.0"}],"aliases":["CVE-2026-43975","GHSA-3gmf-p6r4-q8m6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2w3q-f5uq-sbau"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210429?format=json","vulnerability_id":"VCID-dv5f-29j2-cub5","summary":"DNS based denial of service in Apache Wicket","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23937","reference_id":"","reference_type":"","scores":[{"value":"0.05235","scoring_system":"epss","scoring_elements":"0.90208","published_at":"2026-06-12T12:55:00Z"},{"value":"0.05235","scoring_system":"epss","scoring_elements":"0.90177","published_at":"2026-06-11T12:55:00Z"},{"value":"0.05235","scoring_system":"epss","scoring_elements":"0.90216","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23937"},{"reference_url":"https://github.com/apache/wicket","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/wicket"},{"reference_url":"https://github.com/apache/wicket/commit/84f62a5cff462eaa3bfaf171b0638c7e7feea30d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/wicket/commit/84f62a5cff462eaa3bfaf171b0638c7e7feea30d"},{"reference_url":"https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cannounce.wicket.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cannounce.wicket.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cusers.wicket.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cusers.wicket.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78@%3Cdev.wicket.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78@%3Cdev.wicket.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d@%3Cusers.wicket.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d@%3Cusers.wicket.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rce158bb896c9ef812393a11646fdef7b9023833e54854c4302ff7b70@%3Cdev.wicket.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rce158bb896c9ef812393a11646fdef7b9023833e54854c4302ff7b70@%3Cdev.wicket.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rce23bba1e11368f9f4cccce0e9b02b88dcdac4e4b2304e66bd098cf5@%3Cannounce.wicket.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rce23bba1e11368f9f4cccce0e9b02b88dcdac4e4b2304e66bd098cf5@%3Cannounce.wicket.apache.org%3E"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/05/25/2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/05/25/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23937","reference_id":"CVE-2021-23937","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23937"},{"reference_url":"https://github.com/advisories/GHSA-hmhg-95wh-r699","reference_id":"GHSA-hmhg-95wh-r699","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hmhg-95wh-r699"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/504954?format=json","purl":"pkg:maven/org.apache.wicket/wicket-core@6.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5zm2-ezt5-abcu"},{"vulnerability":"VCID-v5c2-f7cr-8kes"},{"vulnerability":"VCID-zkdq-1aeq-4yej"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.wicket/wicket-core@6.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/23398?format=json","purl":"pkg:maven/org.apache.wicket/wicket-core@7.18.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.wicket/wicket-core@7.18.0"},{"url":"http://public2.vulnerablecode.io/api/packages/23407?format=json","purl":"pkg:maven/org.apache.wicket/wicket-core@8.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w3q-f5uq-sbau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.wicket/wicket-core@8.12.0"},{"url":"http://public2.vulnerablecode.io/api/packages/23405?format=json","purl":"pkg:maven/org.apache.wicket/wicket-core@9.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2w3q-f5uq-sbau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.wicket/wicket-core@9.3.0"}],"aliases":["CVE-2021-23937","GHSA-hmhg-95wh-r699"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dv5f-29j2-cub5"}],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.wicket/wicket-core@9.3.0"}