Apache Wicket 9.17.0 released

17 Mar 2024

The Apache Wicket PMC is proud to announce Apache Wicket 9.17.0!

Apache Wicket is an open source Java component oriented web application framework that powers thousands of web applications and web sites for governments, stores, universities, cities, banks, email providers, and more. You can find more about Apache Wicket at https://wicket.apache.org

This release marks another minor release of Wicket 9. We use semantic versioning for the development of Wicket, and as such no API breaks are present in this release compared to 9.0.0.

New and noteworthy

This release fixes the following security issue:

  • CVE-2024-27439 - ‘Possible bypass of CSRF protection’ Reported by Jo Theunis.

Using this release

With Apache Maven update your dependency to (and don’t forget to update any other dependencies on Wicket projects to the same version):


Or download and build the distribution yourself, or use our convenience binary package you can find here:

  • Download: http://wicket.apache.org/start/wicket-9.x.html#manually

Upgrading from earlier versions

If you upgrade from 9.y.z this release is a drop in replacement. If you come from a version prior to 9.0.0, please read our Wicket 9 migration guide found at

  • http://s.apache.org/wicket9migrate

Have fun!

— The Wicket team


This Release

CHANGELOG for 9.17.0:

  • [WICKET-7086] - Injecting Spring bean may cause ClassCastException
  • [WICKET-7091] - FilePageStore throws NPE
  • [WICKET-7096] - stylesheets referenced via automatic linking miss nonce attribute
  • [WICKET-7097] - ServletWebResponse allows writing headers to committed HttpServletResponse
  • [WICKET-7093] - Add support for missing CSP directives
  • [WICKET-7094] - Make all CSP schemes configurable
  • [WICKET-7099] - Validate FormTester constructor parameter workingForm