CVE-2026-40010CRITICAL 9.1EPSS p29.6%

CVE-2026-40010CVE-2026-40010

Description

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.38% probability of exploitation · percentile 29.6% · 2026-06-18T12:00:27Z
Published2026-05-06
Last modified2026-05-07

Underlying weaknesses· 1

CWE-384

References

  1. https://lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1
  2. http://www.openwall.com/lists/oss-security/2026/05/06/1

1

TypeTargetConfidenceTier
WeaknessSession Fixationcwe-3840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2009-10007
CVE
CVE-2026-25101
CVE
CVE-2026-7507
CVE
CVE-2026-43512
CVE
CVE-2026-24352
CVE
CVE-2025-10228
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.