Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: wget2

Found 3 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-1858
4.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 4 weeks, 1 day ago by @LeSuisse Activity log
  • Created suggestion 4 weeks, 1 day ago
  • @LeSuisse accepted 4 weeks, 1 day ago
  • @LeSuisse published on GitHub 4 weeks, 1 day ago
wget2 Improper Certificate Validation

wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.

Affected products

wget2
  • =<2.2.1

Matching in nixpkgs

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

Package maintainers

Patch: https://gitlab.com/gnuwget/wget2/-/commit/f4854d7fbc0a85c1d9873f5980707c0b80df212a
Published
Permalink CVE-2025-69194
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse deleted maintainer @SuperSandro2000 4 months, 2 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 2 weeks ago
  • @LeSuisse published on GitHub 4 months, 2 weeks ago
Wget2: arbitrary file write via metalink path traversal in gnu wget2

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment.

References

Affected products

wget2
  • ==2.2.1
  • =<2.2.0

Matching in nixpkgs

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

Package maintainers

Ignored maintainers (1)
Published
Permalink CVE-2025-69195
7.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse deleted maintainer @SuperSandro2000 4 months, 2 weeks ago maintainer.delete
  • @LeSuisse accepted 4 months, 2 weeks ago
  • @LeSuisse published on GitHub 4 months, 2 weeks ago
Wget2: gnu wget2: memory corruption and crash via filename sanitization logic with attacker-controlled urls

A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities.

References

Affected products

wget2
  • ==2.2.1
  • =<2.2.0

Matching in nixpkgs

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

Package maintainers

Ignored maintainers (1)