NIXPKGS-2026-1293

GitHub issue published on

Permalink CVE-2026-1858

4.8 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 8 hours ago
@LeSuisse accepted 3 hours ago
@LeSuisse published on GitHub 3 hours ago

wget2 Improper Certificate Validation

wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.

References

https://www.tenable.com/security/research/tra-2026-37

Affected products

wget2

=<2.2.1

Matching in nixpkgs

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

nixos-unstable 2.2.1
- nixpkgs-unstable 2.2.1
- nixos-unstable-small 2.2.1
nixos-25.11 2.2.1
- nixos-25.11-small 2.2.1
- nixpkgs-25.11-darwin 2.2.1

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Patch: https://gitlab.com/gnuwget/wget2/-/commit/f4854d7fbc0a85c1d9873f5980707c0b80df212a

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1293

References

Affected products

Matching in nixpkgs

pkgs.wget2

Package maintainers