Apache Wicket is vulnerable to remote file manipulation via Java deserialization. It allows an attacker to add, move, and delete files that Apache DiskFileItem has access to. Additionally, if an older Java VM is running, the attacker can control the filename because the NULL byte check doesn’t exist. In that case, the ability to name and place a custom file can lead to remote code execution.