Skip to main content

Wget

16 CVEs product

Monthly

CVE-2026-15146 MEDIUM This Month

GNU Wget's FTP passive mode implementation fails to validate the IP address returned in a server's PASV response, enabling a malicious FTP server - or any HTTP server issuing a redirect to an ftp:// URL - to redirect Wget's data connection to an arbitrary internal IP address and port. All Wget releases through 1.25.0 (prior to upstream commit 4f85853) are affected, exposing any host running Wget to server-side request forgery (SSRF) that can probe or interact with localhost services and internal network resources. No confirmed active exploitation exists (SSVC: exploitation none), and no public POC exploit has been identified at time of analysis; the NVD-provided CVSS attack vector (AV:L) appears inconsistent with the network-based attack mechanism and may be an error.

SSRF Wget
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-58472 MEDIUM PATCH This Month

Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the `html_quote_string()` function in `src/convert.c`, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the memory corruption class warrants patching, particularly in environments where wget is used to fetch content from untrusted servers.

Integer Overflow Buffer Overflow Wget
NVD VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-58471 MEDIUM PATCH This Month

Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the fix is confirmed via upstream commit c2640fe on the official GNU Wget GitLab repository.

Heap Overflow Buffer Overflow Wget
NVD VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-58470 MEDIUM PATCH This Month

Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sessions by supplying crafted Content-Range response headers. The parse_content_range() function in src/http.c performs signed integer arithmetic on server-supplied values without overflow guards, triggering undefined behavior under C's signed overflow rules and causing download desynchronization on the affected client. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is known at time of analysis; real-world impact is bounded to availability disruption rather than host compromise based on current data.

Integer Overflow Buffer Overflow Wget
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-58469 HIGH PATCH This Week

Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving a Metalink document whose URL element contains only whitespace, causing clean_metalink_string() in src/metalink.c to decrement a pointer past the start of the heap buffer. The out-of-bounds read (CWE-125) produces abnormal program behavior and is reported by VulnCheck; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed upstream in GitLab commit 37a40fc.

Buffer Overflow Information Disclosure Wget
NVD VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2024-38428 CRITICAL PATCH Act Now

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wget
NVD
CVSS 3.1
9.1
EPSS
0.7%
CVE-2021-31879 MEDIUM This Month

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Wget Brocade Fabric Operating System Firmware Cloud Backup Ontap Select Deploy Administration Utility +2
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2019-5953 CRITICAL Act Now

Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Wget
NVD
CVSS 3.0
9.8
EPSS
5.8%
CVE-2018-20483 HIGH POC This Week

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wget
NVD
CVSS 3.0
7.8
EPSS
0.7%
CVE-2018-0494 MEDIUM POC PATCH THREAT This Month

GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Wget Ubuntu Linux Debian Linux Enterprise Linux Desktop +2
NVD Exploit-DB
CVSS 3.0
6.5
EPSS
17.0%
CVE-2017-13090 HIGH PATCH This Week

The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Heap Overflow Wget Debian Linux
NVD
CVSS 3.0
8.8
EPSS
8.6%
CVE-2017-13089 HIGH PATCH Act Now

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 75.8%.

Buffer Overflow Stack Overflow Wget Debian Linux
NVD GitHub
CVSS 3.0
8.8
EPSS
75.8%
Threat
4.0
CVE-2017-6508 MEDIUM POC PATCH This Month

CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Wget
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2016-7098 HIGH POC This Week

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Race Condition Authentication Bypass Wget
NVD Exploit-DB
CVSS 3.0
8.1
EPSS
6.7%
CVE-2016-4971 HIGH POC PATCH THREAT Act Now

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 75.0%.

Information Disclosure Wget Ubuntu Linux Solaris Pan Os
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
75.0%
Threat
5.5
CVE-2014-4877 CRITICAL POC PATCH THREAT Act Now

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 74.3%.

Path Traversal RCE Wget
NVD GitHub
CVSS 2.0
9.3
EPSS
74.3%
Threat
5.6
EPSS 0% CVSS 5.9
MEDIUM This Month

GNU Wget's FTP passive mode implementation fails to validate the IP address returned in a server's PASV response, enabling a malicious FTP server - or any HTTP server issuing a redirect to an ftp:// URL - to redirect Wget's data connection to an arbitrary internal IP address and port. All Wget releases through 1.25.0 (prior to upstream commit 4f85853) are affected, exposing any host running Wget to server-side request forgery (SSRF) that can probe or interact with localhost services and internal network resources. No confirmed active exploitation exists (SSVC: exploitation none), and no public POC exploit has been identified at time of analysis; the NVD-provided CVSS attack vector (AV:L) appears inconsistent with the network-based attack mechanism and may be an error.

SSRF Wget
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the `html_quote_string()` function in `src/convert.c`, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the memory corruption class warrants patching, particularly in environments where wget is used to fetch content from untrusted servers.

Integer Overflow Buffer Overflow Wget
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the fix is confirmed via upstream commit c2640fe on the official GNU Wget GitLab repository.

Heap Overflow Buffer Overflow Wget
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sessions by supplying crafted Content-Range response headers. The parse_content_range() function in src/http.c performs signed integer arithmetic on server-supplied values without overflow guards, triggering undefined behavior under C's signed overflow rules and causing download desynchronization on the affected client. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is known at time of analysis; real-world impact is bounded to availability disruption rather than host compromise based on current data.

Integer Overflow Buffer Overflow Wget
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving a Metalink document whose URL element contains only whitespace, causing clean_metalink_string() in src/metalink.c to decrement a pointer past the start of the heap buffer. The out-of-bounds read (CWE-125) produces abnormal program behavior and is reported by VulnCheck; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed upstream in GitLab commit 37a40fc.

Buffer Overflow Information Disclosure Wget
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Wget
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Wget Brocade Fabric Operating System Firmware +4
NVD
EPSS 6% CVSS 9.8
CRITICAL Act Now

Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +1
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wget
NVD
EPSS 17% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Wget Ubuntu Linux +4
NVD Exploit-DB
EPSS 9% CVSS 8.8
HIGH PATCH This Week

The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Heap Overflow Wget +1
NVD
EPSS 76% 4.0 CVSS 8.8
HIGH PATCH Act Now

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 75.8%.

Buffer Overflow Stack Overflow Wget +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Wget
NVD
EPSS 7% CVSS 8.1
HIGH POC This Week

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Race Condition Authentication Bypass Wget
NVD Exploit-DB
EPSS 75% 5.5 CVSS 8.8
HIGH POC PATCH THREAT Act Now

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 75.0%.

Information Disclosure Wget Ubuntu Linux +2
NVD Exploit-DB
EPSS 74% 5.6 CVSS 9.3
CRITICAL POC PATCH THREAT Act Now

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 74.3%.

Path Traversal RCE Wget
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy