Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-36522

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Published

2024-07-12T13:15:11.867

Last Modified

2025-07-10T17:53:04.740

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	wicket	< 8.16.0	Yes
Application	apache	wicket	< 9.18.0	Yes
Application	apache	wicket	10.0.0	Yes
Application	apache	wicket	10.0.0	Yes

References

http://www.openwall.com/lists/oss-security/2024/07/12/2 Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc Mailing List, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2024/07/12/2 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)