CVE-2026-40010
CRITICALDescription
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| apache | wicket |
| apache | wicket |
| apache | wicket |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2026-40010? +
How severe is CVE-2026-40010? +
What products are affected by CVE-2026-40010? +
How do I check if I'm vulnerable to CVE-2026-40010? +
Related Vulnerabilities
Session fixation vulnerability in Wikimedia Foundation OAuth. This vulnerability is associated with program files src/Backend/MWOAuthServer.Php. This issue affects OAuth: from …
QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same …
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized …
This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints …
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could …
KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with …