Search Results (27 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-58472 2 Gnu, Wget 2 Wget, Wget 2026-07-14 5.9 Medium
GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.
CVE-2026-58471 2 Gnu, Wget 2 Wget, Wget 2026-07-14 5.9 Medium
GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
CVE-2026-58470 2 Gnu, Wget 2 Wget, Wget 2026-07-14 5.3 Medium
GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.
CVE-2026-58469 2 Gnu, Wget 2 Wget, Wget 2026-07-14 7.5 High
GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.
CVE-2026-1858 1 Gnu 1 Wget2 2026-05-05 4.8 Medium
wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.
CVE-2006-6719 1 Gnu 1 Wget 2026-04-23 N/A
The ftp_syst function in ftp-basic.c in Free Software Foundation (FSF) GNU wget 1.10.2 allows remote attackers to cause a denial of service (application crash) via a malicious FTP server with a large number of blank 220 responses to the SYST command.
CVE-2009-3490 2 Gnu, Redhat 2 Wget, Enterprise Linux 2026-04-23 N/A
GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVE-1999-0402 1 Gnu 1 Wget 2026-04-16 N/A
wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.
CVE-2004-2014 2 Gnu, Redhat 2 Wget, Enterprise Linux 2026-04-16 N/A
Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded.
CVE-2004-1488 2 Gnu, Redhat 2 Wget, Enterprise Linux 2026-04-16 N/A
wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code.
CVE-2004-1487 2 Gnu, Redhat 2 Wget, Enterprise Linux 2026-04-16 N/A
wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite certain files via a redirection URL containing a ".." that resolves to the IP address of the malicious server, which bypasses wget's filtering for ".." sequences.
CVE-2002-1344 3 Gnu, Redhat, Sun 4 Wget, Enterprise Linux, Linux and 1 more 2026-04-16 N/A
Directory traversal vulnerability in wget before 1.8.2-4 allows a remote FTP server to create or overwrite files as the wget user via filenames containing (1) /absolute/path or (2) .. (dot dot) sequences.
CVE-2024-10524 1 Gnu 1 Wget 2026-04-15 6.5 Medium
Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.
CVE-2025-69195 1 Gnu 2 Wget, Wget2 2026-03-05 7.6 High
A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities.
CVE-2025-69194 1 Gnu 2 Wget, Wget2 2026-03-05 8.8 High
A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment.
CVE-2024-38428 2 Gnu, Redhat 6 Wget, Enterprise Linux, Rhel Aus and 3 more 2025-04-21 9.1 Critical
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.
CVE-2017-13089 3 Debian, Gnu, Redhat 3 Debian Linux, Wget, Enterprise Linux 2025-04-20 N/A
The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.
CVE-2017-6508 1 Gnu 1 Wget 2025-04-20 N/A
CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.
CVE-2017-13090 3 Debian, Gnu, Redhat 3 Debian Linux, Wget, Enterprise Linux 2025-04-20 N/A
The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.
CVE-2014-4877 2 Gnu, Redhat 3 Wget, Enterprise Linux, Rhel Eus 2025-04-12 N/A
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.