NIXPKGS-2026-1293

GitHub issue published 1 month, 3 weeks ago

Permalink CVE-2026-1858

4.8 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 1 month, 3 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 4 weeks ago
@LeSuisse accepted 1 month, 3 weeks ago
@LeSuisse published on GitHub 1 month, 3 weeks ago

wget2 Improper Certificate Validation

wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.

References

https://www.tenable.com/security/research/tra-2026-37

Affected products

wget2

=<2.2.1

Matching in nixpkgs

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

nixos-unstable 2.2.1
- nixpkgs-unstable 2.2.1
- nixos-unstable-small 2.2.1

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>

Patch: https://gitlab.com/gnuwget/wget2/-/commit/f4854d7fbc0a85c1d9873f5980707c0b80df212a

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1293

References

Affected products

Matching in nixpkgs

pkgs.wget2

Package maintainers