The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Affected Packages

Maven org.apache.wicket:wicket-util

Affected versions: 10.0.0-M1 (fixed in 10.1.0)

Maven org.apache.wicket:wicket-util

Affected versions: 9.0.0 (fixed in 9.18.0)

Maven org.apache.wicket:wicket-util

Affected versions: 8.0.0 (fixed in 8.16.0)

Related CVEs

CVE-2024-36522

Key Information

GHSA ID

GHSA-hhwc-gh8h-9rrp

Published

July 12, 2024 3:31 PM

Last Modified

July 18, 2024 3:19 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.wicket:wicket-util

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.