Apache Wicket 10.9.0 released
The Apache Wicket PMC is proud to announce Apache Wicket 10.9.0!
Apache Wicket is an open source Java component oriented web application framework that powers thousands of web applications and web sites for governments, stores, universities, cities, banks, email providers, and more. You can find more about Apache Wicket at https://wicket.apache.org
This release marks another minor release of Wicket 10. We use semantic versioning for the development of Wicket, and as such no API breaks are present in this release compared to 10.0.0.
New and noteworthy
This release fixes the following security issue:
- CVE-2026-43646 crafted URLs can bypass PackageResourceGuard
- CVE-2026-42509 crafted strings can break out of the JavaScript sequence
- CVE-2026-40010 possible session fixation using AuthenticatedWebSession
- CVE-2026-43975 Possible malicious path traversal in FolderUploadsFileManager
Using this release
With Apache Maven update your dependency to (and don’t forget to update any other dependencies on Wicket projects to the same version):
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-core</artifactId>
<version>10.9.0</version>
</dependency>Or download and build the distribution yourself, or use our convenience binary package you can find here:
- Download: http://wicket.apache.org/start/wicket-10.x.html#manually
Upgrading from earlier versions
If you upgrade from 10.y.z this release is a drop in replacement. If you come from a version prior to 10.0.0, please read our Wicket 10 migration guide found at
- http://s.apache.org/wicket10migrate
Have fun!
— The Wicket team
========================================================================
This Release
CHANGELOG for 10.9.0:
Bug
- [WICKET-7174] - DefaultSecureRandomSupplier does not work for FIPS
New Feature
- [WICKET-7169] - Make partHeaderSizeMax in AbstractFileUpload configurable
Improvement
- [WICKET-7172] - Support new CSP style, script directives
- [WICKET-7179] - add support for jQuery 4.0.0