Cyber Resilience

CVE-2024-36522

Critical

Published: 12 July 2024

Published
12 July 2024
Modified
10 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0827 92.4th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36522 is a critical-severity Injection (CWE-74) vulnerability in Apache Wicket. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an instance of CWE-74 in the default configuration of XSLTResourceStream.java, which permits remote code execution through XSLT injection when the component processes input from an untrusted source without validation. The affected software exposes this behavior in versions prior to the listed fixes, and the issue carries a CVSS 3.1 score of 9.8 reflecting network-accessible attack complexity that is low with no required privileges or user interaction.

An unauthenticated attacker can supply a malicious XSLT payload over the network and achieve arbitrary code execution on the target system, resulting in full compromise of confidentiality, integrity, and availability. The attack requires only that the application use the vulnerable default configuration while handling attacker-controlled data.

Public advisories from the Apache project and oss-security lists direct users to upgrade to Wicket versions 10.1.0, 9.18.0, or 8.16.0 to resolve the flaw. The EPSS score has remained flat at 0.0827 with no material rise since disclosure.

EU & UK References

Vulnerability details

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
wicket
10.0.0 · 8.0.0 — 8.16.0 · 9.0.0 — 9.18.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References