Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: wget

Found 4 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-58470
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 3 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • wget2
    • wgetpaste
    • python313Packages.wget
    • python314Packages.wget
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
GNU Wget 1.25.0 Integer Overflow via Content-Range Header Parsing

GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.

Affected products

wget
  • ==43d3ba9336bc94937e6fae2365c6ffd30c34ffcf
  • =<1.25.0

Matching in nixpkgs

pkgs.wget

Tool for retrieving files using HTTP, HTTPS, and FTP

Ignored packages (4)

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

pkgs.wgetpaste

Command-line interface to various pastebins

  • nixos-unstable 2.34
    • nixpkgs-unstable 2.34
    • nixos-unstable-small 2.34
  • nixos-26.05 2.34
    • nixos-26.05-small 2.34
    • nixpkgs-26.05-darwin 2.34

Package maintainers

Permalink CVE-2026-58469
8.7 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 3 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • wget2
    • wgetpaste
    • python313Packages.wget
    • python314Packages.wget
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
GNU Wget 1.25.0 Heap Buffer Underread via Metalink URL Parsing

GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.

Affected products

wget
  • =<1.25.0
  • ==37a40fcb450153f69537c7cbc2a7a4fb0b6f7826

Matching in nixpkgs

pkgs.wget

Tool for retrieving files using HTTP, HTTPS, and FTP

Ignored packages (4)

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

pkgs.wgetpaste

Command-line interface to various pastebins

  • nixos-unstable 2.34
    • nixpkgs-unstable 2.34
    • nixos-unstable-small 2.34
  • nixos-26.05 2.34
    • nixos-26.05-small 2.34
    • nixpkgs-26.05-darwin 2.34

Package maintainers

Permalink CVE-2026-58472
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 3 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • wget2
    • wgetpaste
    • python313Packages.wget
    • python314Packages.wget
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
GNU Wget 1.25.0 Heap Buffer Overflow via HTML Attribute Encoding

GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.

Affected products

wget
  • =<1.25.0
  • ==dd692d9cea5335b181d877ae917fe6e75587a812

Matching in nixpkgs

pkgs.wget

Tool for retrieving files using HTTP, HTTPS, and FTP

Ignored packages (4)

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

pkgs.wgetpaste

Command-line interface to various pastebins

  • nixos-unstable 2.34
    • nixpkgs-unstable 2.34
    • nixos-unstable-small 2.34
  • nixos-26.05 2.34
    • nixos-26.05-small 2.34
    • nixpkgs-26.05-darwin 2.34

Package maintainers

Permalink CVE-2026-58471
6.0 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Passive (P)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Passive (P)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 3 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 packages
    • wget2
    • wgetpaste
    • python313Packages.wget
    • python314Packages.wget
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
GNU Wget 1.25.0 Heap Buffer Overflow via convert_fname() in url.c

GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.

Affected products

wget
  • ==c2640fe5171c59f87c58dc9fcb195b2d18b010ee
  • =<1.25.0

Matching in nixpkgs

pkgs.wget

Tool for retrieving files using HTTP, HTTPS, and FTP

Ignored packages (4)

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

pkgs.wgetpaste

Command-line interface to various pastebins

  • nixos-unstable 2.34
    • nixpkgs-unstable 2.34
    • nixos-unstable-small 2.34
  • nixos-26.05 2.34
    • nixos-26.05-small 2.34
    • nixpkgs-26.05-darwin 2.34

Package maintainers