Write maintainable, secure and scalable web applications using just Java and HTML
Latest News Get started Live Examples
Current release: 7.4.0

Introducing Apache Wicket

Invented in 2004, Wicket is one of the few survivors of the Java serverside web framework wars of the mid 2000's. Wicket is an open source, component oriented, serverside, Java web application framework. With a history of over a decade, it is still going strong and has a solid future ahead. Learn why you should consider Wicket for your next web application.

Work with JavaScript and CSS

Global JavaScript libraries and CSS styling mix properly with component local JavaScript and CSS resources. You can use custom component libraries that ship with default JavaScript behaviour and CSS styling, without having to do anything yourself. Creating such self-contained component libraries is as easy as creating a JAR file.

Projects Using Apache Wicket

Many projects use Wicket but are not known for it. Below you find a list of projects that are Powered by Wicket.

This list is generated from our Tumblr feed 'Built with Wicket'. You can submit your own project to this list through this form.

News about Apache Wicket

Get the latest updates to releases, security bulletins, community news and more.

Wicket 1.5.16 released

05 Aug 2016

This is the sixteenth maintenance release of the Wicket 1.5.x series. This release brings over 2 bug fixes.

CHANGELOG for 1.5.16:


  • CVE-2013-2186: Disable (de)serialization of Commons FileUpload items.
  • CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability

To use in Maven:


Download the full distribution (including sources)


CVE-2016-3092 & CVE-2013-2186 Apache Commons Fileupload vulnerabilities

05 Aug 2016

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x


CVE-2016-3092: A malicious client can send file upload requests that cause the HTTP server using the Apache Commons Fileupload library to become unresponsive, preventing the server from servicing other requests.

This flaw is not exploitable beyond causing the code to loop expending CPU resources.

CVE-2013-2186: The DiskFileItem class in Apache Commons FileUpload allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

Since version 7.0.0 Apache Wicket does not embed Apache Commons FileUpload but uses it as a Maven dependency so an application can just update the dependency to version 1.3.2.

Apache Wicket Team