GHSA-qpjw-p3jg-59j6

Source

https://github.com/advisories/GHSA-qpjw-p3jg-59j6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qpjw-p3jg-59j6/GHSA-qpjw-p3jg-59j6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qpjw-p3jg-59j6

Aliases

CVE-2026-40010

Published

2026-05-06T12:30:25Z

Modified

2026-05-11T14:49:26.684483Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Apache Wicket has a Session Fixation issue

Details

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

Database specific

{
    "github_reviewed": true,
    "severity": "CRITICAL",
    "github_reviewed_at": "2026-05-11T14:25:05Z",
    "cwe_ids": [
        "CWE-384"
    ],
    "nvd_published_at": "2026-05-06T10:16:20Z"
}

References

Affected packages

Maven

org.apache.wicket:wicket-auth-roles

Package

Name: org.apache.wicket:wicket-auth-roles; View open source insights on deps.dev
Purl: pkg:maven/org.apache.wicket/wicket-auth-roles

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0-M1

Last affected

8.17.0

Affected versions

8.*

8.0.0-M1

8.0.0-M2

8.0.0-M3

8.0.0-M4

8.0.0-M5

8.0.0-M6

8.0.0-M7

8.0.0-M8

8.0.0-M9

8.0.0

8.1.0

8.2.0

8.3.0

8.4.0

8.5.0

8.6.0

8.6.1

8.7.0

8.8.0

8.9.0

8.10.0

8.11.0

8.12.0

8.13.0

8.14.0

8.15.0

8.16.0

8.17.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qpjw-p3jg-59j6/GHSA-qpjw-p3jg-59j6.json"

org.apache.wicket:wicket-auth-roles

Package

Name: org.apache.wicket:wicket-auth-roles; View open source insights on deps.dev
Purl: pkg:maven/org.apache.wicket/wicket-auth-roles

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0-M1

Last affected

9.22.0

Affected versions

9.*

9.0.0-M1

9.0.0-M2

9.0.0-M3

9.0.0-M4

9.0.0-M5

9.0.0

9.1.0

9.2.0

9.3.0

9.4.0

9.5.0

9.6.0

9.7.0

9.8.0

9.9.0

9.9.1

9.10.0

9.11.0

9.12.0

9.13.0

9.14.0

9.15.0

9.16.0

9.17.0

9.18.0

9.19.0

9.20.0

9.21.0

9.22.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qpjw-p3jg-59j6/GHSA-qpjw-p3jg-59j6.json"

org.apache.wicket:wicket-auth-roles

Package

Name: org.apache.wicket:wicket-auth-roles; View open source insights on deps.dev
Purl: pkg:maven/org.apache.wicket/wicket-auth-roles

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0-M1

Fixed

10.9.0

Affected versions

10.*

10.0.0-M1

10.0.0-M2

10.0.0

10.1.0

10.2.0

10.3.0

10.4.0

10.5.0

10.6.0

10.7.0

10.8.0

Database specific

last_known_affected_version_range

"<= 10.8.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qpjw-p3jg-59j6/GHSA-qpjw-p3jg-59j6.json"