Wget
This hub aggregates every CVE we track for Wget, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
26
CVEs tracked
3
Critical
7
High
0
In CISA KEV
Severity distribution
MEDIUM15HIGH7CRITICAL3LOW1
Monthly trend
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
5
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Wget.
- CVE-2026-15146CVE-2026-151465.9
- CVE-2026-58472GNU Wget 1.25.0 Heap Buffer Overflow via HTML Attribute Encoding5.9
- CVE-2026-58471GNU Wget 1.25.0 Heap Buffer Overflow via convert_fname() in url.c5.9
- CVE-2026-58470GNU Wget 1.25.0 Integer Overflow via Content-Range Header Parsing5.3
- CVE-2026-58469GNU Wget 1.25.0 Heap Buffer Underread via Metalink URL Parsing7.5
- CVE-2024-10524GNU Wget is vulnerable to an SSRF attack when accessing partially-user-controlled shorthand URLs6.5
- CVE-2024-38428url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcompon...9.1
- CVE-2021-31879GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.6.1
- CVE-2019-5953Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code via unspecified vectors.9.8
- CVE-2018-20483set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local...7.8
- CVE-2018-0494GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line.6.5
- CVE-2017-13090GNU Wget: heap overflow in HTTP protocol handling8.8
- CVE-2017-13089GNU Wget: stack overflow in HTTP protocol handling8.8
- CVE-2017-6508CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.6.1
- CVE-2016-7098Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTT...8.1
Product normalization is registry-driven with AI assist and human review. How it works