Files or Directories Accessible to External Parties
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket through versions 7.16.0, 8.8.0 and 9.0.0-M5
CWE-552 - Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.