Write maintainable, secure and scalable web applications using just Java and HTML
Latest News Get started Live Examples
Current release: 7.6.0

Introducing Apache Wicket

Invented in 2004, Wicket is one of the few survivors of the Java serverside web framework wars of the mid 2000's. Wicket is an open source, component oriented, serverside, Java web application framework. With a history of over a decade, it is still going strong and has a solid future ahead. Learn why you should consider Wicket for your next web application.

Work with JavaScript and CSS

Global JavaScript libraries and CSS styling mix properly with component local JavaScript and CSS resources. You can use custom component libraries that ship with default JavaScript behaviour and CSS styling, without having to do anything yourself. Creating such self-contained component libraries is as easy as creating a JAR file.

Projects Using Apache Wicket

Many projects use Wicket but are not known for it. Below you find a list of projects that are Powered by Wicket.

This list is generated from our Tumblr feed 'Built with Wicket'. You can submit your own project to this list through this form.

News about Apache Wicket

Get the latest updates to releases, security bulletins, community news and more.

Apache Wicket 8.0.0-M4 released

07 Feb 2017

The Apache Wicket PMC is proud to announce Apache Wicket 8.0.0-M4!

Apache Wicket is an open source Java component oriented web application framework that powers thousands of web applications and web sites for governments, stores, universities, cities, banks, email providers, and more. You can find more about Apache Wicket at https://wicket.apache.org

This release marks the first milestone of the major release of Wicket 8. We use semantic versioning for the development of Wicket, and as such no API breaks are present breaks are present in this release compared to 8.0.0.

Using this release

With Apache Maven update your dependency to (and don’t forget to update any other dependencies on Wicket projects to the same version):


Or download and build the distribution yourself, or use our convenience binary package


CVE-2016-6793 Apache Wicket deserialization vulnerability

31 Dec 2016

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 6.x and 1.5.x

Description: Depending on the ISerializer set in the Wicket application, it’s possible that a Wicket’s object deserialized from an untrusted source and utilized by the application to causes the code to enter in an infinite loop. Specifically, Wicket’s DiskFileItem class, serialized by Kryo, allows an attacker to hack its serialized form to put a client on an infinite loop if the client attempts to write on the DeferredFileOutputStream attribute.

Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17

Credit: This issue was discovered by Jacob Baines, Tenable Network Security and Pedro Santos

References: https://wicket.apache.org/news