Thank you, Apache Wicket team for having the fixed version in 10.x available soon.
Could you please share possible release schedule with fix for the 8.x and 9.x branches? Thank you, -Mihir On Tue, May 5, 2026, 4:42 AM Andrea Del Bene <[email protected]> wrote: > The Apache Wicket PMC is proud to announce Apache Wicket 10.9.0! > > Apache Wicket is an open source Java component oriented web application > framework that powers thousands of web applications and web sites for > governments, stores, universities, cities, banks, email providers, and > more. You can find more about Apache Wicket at https://wicket.apache.org > > This release marks another minor release of Wicket 10. We > use semantic versioning for the development of Wicket, and as such no > API breaks are present in this release compared to 10.0.0. > > New and noteworthy > ------------------ > > This release fixes the following security issue: > > * CVE-2026-43646 crafted URLs can bypass PackageResourceGuard > * CVE-2026-42509 crafted strings can break out of the JavaScript sequence > * CVE-2026-40010 possible session fixation using AuthenticatedWebSession > * CVE-2026-43975 Possible malicious path traversal in > FolderUploadsFileManager > > > Using this release > ------------------ > > With Apache Maven update your dependency to (and don't forget to > update any other dependencies on Wicket projects to the same version): > > <dependency> > <groupId>org.apache.wicket</groupId> > <artifactId>wicket-core</artifactId> > <version>10.9.0</version> > </dependency> > > Or download and build the distribution yourself, or use our > convenience binary package you can find here: > > * Download: http://wicket.apache.org/start/wicket-10.x.html#manually > > Upgrading from earlier versions > ------------------------------- > > If you upgrade from 10.y.z this release is a drop in replacement. If > you come from a version prior to 10.0.0, please read our Wicket 10 > migration guide found at > > * http://s.apache.org/wicket10migrate > > Have fun! > > — The Wicket team > > > ======================================================================== > > CHANGELOG for 10.9.0: > > ** Bug > > * [WICKET-7174] - DefaultSecureRandomSupplier does not work for FIPS > > ** New Feature > > * [WICKET-7169] - Make partHeaderSizeMax in AbstractFileUpload > configurable > > ** Improvement > > * [WICKET-7172] - Support new CSP style, script directives > * [WICKET-7179] - add support for jQuery 4.0.0 > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
