Skip to main content

GNU Wget CVE-2026-58472

| EUVDEUVD-2026-42084 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-07-07 VulnCheck GHSA-332r-8pmf-8m9p
6.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

AV:N because the malicious server triggers the flaw over the network; AC:H and UI:R because the victim must run wget against an attacker URL; A:H for heap corruption causing crash; no confidentiality impact; I:L for potential heap write primitive.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 20:55 vuln.today

DescriptionCVE.org

GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.

AnalysisAI

Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the html_quote_string() function in src/convert.c, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker deploys malicious web server
Delivery
Crafts HTML response with oversized entity-requiring attribute
Exploit
Victim runs wget against attacker URL
Install
html_quote_string() signed integer overflows during size accumulation
C2
Undersized heap buffer allocated
Execute
Out-of-bounds write during copy phase
Impact
wget process crash or heap exploitation

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim user or automated process runs GNU Wget version 1.25.0 or earlier to download content from an attacker-controlled server. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.0 with vector AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N reflects realistic exploitation constraints accurately. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operates a malicious web server and lures a victim user or automated script to run `wget` against a URL on that server. The server responds with an HTML page containing an attribute value composed of thousands of characters requiring HTML entity encoding; when wget processes this response through its link-conversion code, the signed integer counter in `html_quote_string()` overflows, an undersized heap buffer is allocated, and the copy phase writes beyond it - crashing the wget process or, in a more sophisticated heap-layout attack, potentially redirecting execution. …
Remediation The primary fix is to apply upstream commit dd692d9 from the GNU Wget GitLab repository (https://gitlab.com/gnuwget/wget/-/commit/dd692d9cea5335b181d877ae917fe6e75587a812), or to upgrade wget via your Linux distribution's package manager once a patched release is available (e.g., `apt upgrade wget` on Debian/Ubuntu or `dnf update wget` on RHEL/Fedora). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wget

View all
CVE-2014-4877 CRITICAL POC
9.3 Oct 29

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to w

CVE-2016-4971 HIGH POC
8.8 Jun 30

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted F

CVE-2017-13089 HIGH
8.8 Oct 27

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. Rated high sev

CVE-2016-7098 HIGH POC
8.1 Sep 26

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow

CVE-2018-20483 HIGH POC
7.8 Dec 26

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata at

CVE-2017-13090 HIGH
8.8 Oct 27

The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerab

CVE-2018-0494 MEDIUM POC
6.5 May 06

GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequen

CVE-2017-6508 MEDIUM POC
6.1 Mar 07

CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject

CVE-2019-5953 CRITICAL
9.8 May 17

Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute

CVE-2024-38428 CRITICAL
9.1 Jun 16

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be inse

CVE-2026-58469 HIGH
8.7 Jul 07

Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving

CVE-2026-58470 MEDIUM
6.9 Jul 07

Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sess

Share

CVE-2026-58472 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy