Description

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.

INFO

Published Date :

2026-05-06T08:34:30.480Z

Last Modified :

2026-05-06T09:51:10.306Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40010 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40010.

URL Resource
https://lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System